From 59106473d37044adf5f1edde24221e1f70f15972 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 9 May 2012 12:11:45 +1000 Subject: [PATCH] s3-smbd: Do not merge UID ACE values with GID ACE values for posix ACL This might happen when we get a SID mapped to IDMAP_BOTH. Andrew Bartlett Signed-off-by: Jeremy Allison --- source3/smbd/posix_acls.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index bbf0eae0f19..a313190fd22 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -949,15 +949,21 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl) /* For file ACLs we can merge if the SIDs and ALLOW/DENY * types are the same. For directory acls we must also - * ensure the POSIX ACL types are the same. */ + * ensure the POSIX ACL types are the same. + * + * For the IDMAP_BOTH case, we must not merge + * the UID and GID ACE values for same SID + */ if (!dir_acl) { can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) && - (curr_ace->attr == curr_ace_outer->attr)); + curr_ace->owner_type == curr_ace_outer->owner_type && + (curr_ace->attr == curr_ace_outer->attr)); } else { can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) && - (curr_ace->type == curr_ace_outer->type) && - (curr_ace->attr == curr_ace_outer->attr)); + curr_ace->owner_type == curr_ace_outer->owner_type && + (curr_ace->type == curr_ace_outer->type) && + (curr_ace->attr == curr_ace_outer->attr)); } if (can_merge) { @@ -1005,7 +1011,8 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl) */ if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) && - (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) { + (curr_ace->owner_type == curr_ace_outer->owner_type) && + (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) { if( DEBUGLVL( 10 )) { dbgtext("merge_aces: Masking ACE's\n"); -- 2.34.1