Pass all the non-inherited S4 RAW-ACL tests.

Jeremy.

diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index d7fdc9a8b9eed82a1a43e442f8a67407edd9075a..fdc10f20ab62568ba9c2f7eda49ea8a8e18f1752 100644 (file)
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -164,10 +164,17 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 
        /* handle the maximum allowed flag */
        if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+               uint32_t orig_access_desired = access_desired;
+
                access_desired |= access_check_max_allowed(sd, token);
                access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
                *access_granted = access_desired;
                bits_remaining = access_desired & ~SEC_STD_DELETE;
+
+               DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
+                       orig_access_desired,
+                       *access_granted,
+                       bits_remaining));
        }
 
 #if 0

diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index e465e8f3808edb358799aa13b516c014f1a2d673..c3b27f81a5a30e1da65cf5ab0d372c901ded0185 100644 (file)
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -442,6 +442,10 @@ static int open_acl_xattr(vfs_handle_struct *handle,
                                        fsp->access_mask,
                                        &access_granted);
                if (!NT_STATUS_IS_OK(status)) {
+                       DEBUG(10,("open_acl_xattr: file %s open "
+                               "refused with error %s\n",
+                               fname,
+                               nt_errstr(status) ));
                        errno = map_errno_from_nt_status(status);
                        return -1;
                }

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 5836c43afc479a159f21b88df071e6f6880c5067..dde1d0dd4ba8a349ec33024407da14c467f63750 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1206,15 +1206,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn,
                   create_disposition, create_options, unx_mode,
                   oplock_request));
 
-       if ((access_mask & FILE_READ_DATA)||(access_mask & FILE_WRITE_DATA)) {
-               DEBUG(10, ("open_file_ntcreate: adding FILE_READ_ATTRIBUTES "
-                       "to requested access_mask 0x%x, new mask 0x%x",
-                       access_mask,
-                       access_mask | FILE_READ_ATTRIBUTES ));
-
-               access_mask |= FILE_READ_ATTRIBUTES;
-       }
-
        if ((req == NULL) && ((oplock_request & INTERNAL_OPEN_ONLY) == 0)) {
                DEBUG(0, ("No smb request but not an internal only open!\n"));
                return NT_STATUS_INTERNAL_ERROR;
@@ -1408,10 +1399,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn,
                        }
 
                        access_mask = access_granted;
-                       /*
-                        * According to Samba4, SEC_FILE_READ_ATTRIBUTE is always granted,
-                        */
-                       access_mask |= FILE_READ_ATTRIBUTES;
                } else {
                        access_mask = FILE_GENERIC_ALL;
                }
@@ -1856,7 +1843,10 @@ NTSTATUS open_file_ntcreate(connection_struct *conn,
        /* Record the options we were opened with. */
        fsp->share_access = share_access;
        fsp->fh->private_options = create_options;
-       fsp->access_mask = access_mask;
+       /*
+        * According to Samba4, SEC_FILE_READ_ATTRIBUTE is always granted,
+        */
+       fsp->access_mask = access_mask | FILE_READ_ATTRIBUTES;
 
        if (file_existed) {
                /* stat opens on existing files don't get oplocks. */