r6946: Allow mapping of POSIX ACLs to NT perms to differentiate between directories
authorJeremy Allison <jra@samba.org>
Mon, 23 May 2005 20:47:43 +0000 (20:47 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 15:56:58 +0000 (10:56 -0500)
and files. Needed for Volker's coming changes.
Jeremy.
(This used to be commit b257744fdfd0a8d940ae834b3c21f0f298c7d1f9)

source3/include/smb.h
source3/smbd/posix_acls.c

index 41aaa317fd56d180cdd2cd0490da3be447e97752..35ae5723b05ee3b88685729c00cbc5097edbb4ce 100644 (file)
@@ -1110,6 +1110,12 @@ struct bitmap {
 #define UNIX_ACCESS_W          FILE_GENERIC_WRITE
 #define UNIX_ACCESS_X          FILE_GENERIC_EXECUTE
 
+/* Mapping of access rights to UNIX perms. for a UNIX directory. */
+#define UNIX_DIRECTORY_ACCESS_RWX              FILE_GENERIC_ALL
+#define UNIX_DIRECTORY_ACCESS_R                FILE_GENERIC_READ
+#define UNIX_DIRECTORY_ACCESS_W                        FILE_GENERIC_WRITE
+#define UNIX_DIRECTORY_ACCESS_X                        FILE_GENERIC_EXECUTE
+
 #if 0
 /*
  * This is the old mapping we used to use. To get W2KSP2 profiles
index b5052eec2561c8fd6389b19d7ebf8ae8190a1a90..b5ac2e8241d231ec68dc172bc5a1c154135c581c 100644 (file)
@@ -801,7 +801,7 @@ static BOOL nt4_compatible_acls(void)
  not get. Deny entries are implicit on get with ace->perms = 0.
 ****************************************************************************/
 
-static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace *ace)
+static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace *ace, BOOL directory_ace)
 {
        SEC_ACCESS sa;
        uint32 nt_mask = 0;
@@ -809,7 +809,11 @@ static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon
        *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
 
        if ((ace->perms & ALL_ACE_PERMS) == ALL_ACE_PERMS) {
+               if (directory_ace) {
+                       nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
+               } else {
                        nt_mask = UNIX_ACCESS_RWX;
+               }
        } else if ((ace->perms & ALL_ACE_PERMS) == (mode_t)0) {
                /*
                 * Windows NT refuses to display ACEs with no permissions in them (but
@@ -825,9 +829,15 @@ static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon
                else
                        nt_mask = 0;
        } else {
-               nt_mask |= ((ace->perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
-               nt_mask |= ((ace->perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
-               nt_mask |= ((ace->perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
+               if (directory_ace) {
+                       nt_mask |= ((ace->perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
+                       nt_mask |= ((ace->perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
+                       nt_mask |= ((ace->perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
+               } else {
+                       nt_mask |= ((ace->perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
+                       nt_mask |= ((ace->perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
+                       nt_mask |= ((ace->perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
+               }
        }
 
        DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
@@ -2815,7 +2825,7 @@ size_t get_nt_acl(files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc)
                        for (i = 0; i < num_acls; i++, ace = ace->next) {
                                SEC_ACCESS acc;
 
-                               acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace );
+                               acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace, fsp->is_directory);
                                init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc, ace->inherited ? SEC_ACE_FLAG_INHERITED_ACE : 0);
                        }
 
@@ -2833,7 +2843,7 @@ size_t get_nt_acl(files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc)
                        for (i = 0; i < num_def_acls; i++, ace = ace->next) {
                                SEC_ACCESS acc;
        
-                               acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace );
+                               acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace, fsp->is_directory);
                                init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc,
                                                SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
                                                SEC_ACE_FLAG_INHERIT_ONLY|