r6055: Fix algorithm. If any of the primary or supplementary group ids match

a "allow" entry of GROUP or GROUP_OBJ, then access is allowed. It doesn't
terminate on the first match. Added debug to show where the match occured
(or didn't).
Jeremy.

diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index 76b67169f21900db60a72d83adc424ec78bd48c0..33db14aec3a49b04de1f010360e59bb8641b0877 100644 (file)
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -3860,6 +3860,11 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can
                        goto check_stat;
                }
 
+               /* If we don't have write permission this entry never matches. */
+               if (have_write == 0) {
+                       continue;
+               }
+
                switch(tagtype) {
                        case SMB_ACL_GROUP:
                        {
@@ -3870,9 +3875,9 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can
                                for (i = 0; i < current_user.ngroups; i++) {
                                        if (current_user.groups[i] == *pgid) {
                                                /* We're done now we have a gid match. */
-                                               ret = have_write;
+                                               ret = 1;
                                                DEBUG(10,("check_posix_acl_group_write: file %s \
-match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "cannot write"));
+match on group %u -> can write.\n", fname, (unsigned int)*pgid ));
                                                goto done;
                                        }
                                }
@@ -3886,13 +3891,24 @@ match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "ca
 
   check_stat:
 
+       /* If we get here we know ret == 0. */
+       SMB_ASSERT(ret == 0);
+
        for (i = 0; i < current_user.ngroups; i++) {
                if (current_user.groups[i] == psbuf->st_gid) {
                        ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0;
+                       DEBUG(10,("check_posix_acl_group_write: file %s \
+match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write"));
                        break;
                }
        }
 
+       if (i == current_user.ngroups) {
+               SMB_ASSERT(ret == 0);
+               DEBUG(10,("check_posix_acl_group_write: file %s \
+failed to match on user or group in token.\n", fname ));
+       }
+
   done:
 
        SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);