do not merge ACEs with different SMB_ACE4_INHERIT_ONLY_ACE flag, this leads to wrong...

user:10000036:rwxc:allow:FileInherit:DirInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:10000005:rwxc:allow
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:10000005:rwxc:allow:FileInherit:DirInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

would be merged to

user:10000036:rwxc:allow:FileInherit:DirInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:10000005:rwxc:allow:FileInherit:DirInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

so the explicit right for the user on the parent directory will be gone (the InheritOnly flag only accounts to subdirectories)
thus leaving the user without access to the directory itself

Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index b213138c800dce6f50c5761f9f39955990ce93af..70bdaa8826e5d50ca917bcb03e7a237327e0d797 100644 (file)
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -433,8 +433,15 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
        for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) {
                SMB_ACE4PROP_T *ace = &aceint->prop;
 
+                DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x "
+                         "new type:0x%x flags:0x%x aceFlags:0x%x\n",
+                         ace->aceType, ace->flags, ace->aceFlags,
+                         aceNew->aceType, aceNew->flags,aceNew->aceFlags));
+
                if (ace->flags == aceNew->flags &&
                        ace->aceType==aceNew->aceType &&
+                       ((ace->aceFlags&SMB_ACE4_INHERIT_ONLY_ACE)==
+                        (aceNew->aceFlags&SMB_ACE4_INHERIT_ONLY_ACE)) &&
                        (ace->aceFlags&SMB_ACE4_IDENTIFIER_GROUP)==
                        (aceNew->aceFlags&SMB_ACE4_IDENTIFIER_GROUP)
                ) {