For the vfs_acl_xattr.c module, make sure we map GENERIC file and directory bits

to specific bits every time a security descriptor is set. The S4 torture suite proves
that generic bits are not returned when querying an ACL set using them (ie. only
the specific bits are stored on disk).
Jeremy.

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 535adf7e2f298e4dbd4be4ad29618903b62b7bb5..b7e363253f631f8845eb681f2f4d303aa25917c8 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1431,6 +1431,7 @@ WERROR registry_push_value(TALLOC_CTX *mem_ctx,
 /* The following definitions come from lib/util_seaccess.c  */
 
 void se_map_generic(uint32 *access_mask, const struct generic_mapping *mapping);
+void security_acl_map_generic(struct security_acl *sa, const struct generic_mapping *mapping);
 void se_map_standard(uint32 *access_mask, struct standard_mapping *mapping);
 bool se_access_check(const SEC_DESC *sd, const NT_USER_TOKEN *token,
                     uint32 acc_desired, uint32 *acc_granted, 

diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index 87e70bb95bf1b2eb6475c39c5148ec61b4693255..cab4261adf14782f854e0d37fbfb77a38e8f84a7 100644 (file)
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -176,6 +176,24 @@ void se_map_generic(uint32 *access_mask, const struct generic_mapping *mapping)
        }
 }
 
+/* Map generic access rights to object specific rights for all the ACE's
+ * in a security_acl.
+ */
+
+void security_acl_map_generic(struct security_acl *sa,
+                               const struct generic_mapping *mapping)
+{
+       unsigned int i;
+
+       if (!sa) {
+               return;
+       }
+
+       for (i = 0; i < sa->num_aces; i++) {
+               se_map_generic(&sa->aces[i].access_mask, mapping);
+       }
+}
+
 /* Map standard access rights to object specific rights.  This technique is
    used to give meaning to assigning read, write, execute and all access to
    objects.  Each type of object has its own mapping of standard to object

diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c
index fb7478653d09f131ef8c9fe620e247d3229ca828..47688b114c8ad7246209aa54b58c46357811d3d7 100644 (file)
--- a/source3/rpc_server/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srv_srvsvc_nt.c
@@ -2150,6 +2150,8 @@ WERROR _srvsvc_NetSetFileSecurity(pipes_struct *p,
        connection_struct *conn = NULL;
        int snum;
        char *oldcwd = NULL;
+       struct security_descriptor *psd = NULL;
+       uint32_t security_info_sent = 0;
 
        ZERO_STRUCT(st);
 
@@ -2198,9 +2200,29 @@ WERROR _srvsvc_NetSetFileSecurity(pipes_struct *p,
                goto error_exit;
        }
 
+       psd = r->in.sd_buf->sd;
+       security_info_sent = r->in.securityinformation;
+
+       if (psd->owner_sid==0) {
+               security_info_sent &= ~OWNER_SECURITY_INFORMATION;
+       }
+       if (psd->group_sid==0) {
+               security_info_sent &= ~GROUP_SECURITY_INFORMATION;
+       }
+       if (psd->sacl==0) {
+               security_info_sent &= ~SACL_SECURITY_INFORMATION;
+       }
+       if (psd->dacl==0) {
+               security_info_sent &= ~DACL_SECURITY_INFORMATION;
+       }
+
+       /* Convert all the generic bits. */
+       security_acl_map_generic(psd->dacl, &file_generic_mapping);
+       security_acl_map_generic(psd->sacl, &file_generic_mapping);
+
        nt_status = SMB_VFS_FSET_NT_ACL(fsp,
-                                      r->in.securityinformation,
-                                      r->in.sd_buf->sd);
+                                       security_info_sent,
+                                       psd);
 
        if (!NT_STATUS_IS_OK(nt_status) ) {
                DEBUG(3,("_srvsvc_NetSetFileSecurity: Unable to set NT ACL "

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 584399c86c9331d6f93ae59616a461aa1b9f24e1..061855876ce3fa5b3b79ca16f0935b6d0d16d024 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -713,6 +713,7 @@ static void do_nt_transact_create_pipe(connection_struct *conn,
 static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len,
                       uint32 security_info_sent)
 {
+       extern const struct generic_mapping file_generic_mapping;
        SEC_DESC *psd = NULL;
        NTSTATUS status;
 
@@ -739,6 +740,10 @@ static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len,
                security_info_sent &= ~DACL_SECURITY_INFORMATION;
        }
 
+       /* Convert all the generic bits. */
+       security_acl_map_generic(psd->dacl, &file_generic_mapping);
+       security_acl_map_generic(psd->sacl, &file_generic_mapping);
+
        status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, psd);
 
        TALLOC_FREE(psd);

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index ad024a58efa5f6daec71fae79cd8aabf61a360ee..8727e80d5f740353f4d5900e31bd35d1efb4114c 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2764,6 +2764,10 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
 
                fsp->access_mask = FILE_GENERIC_ALL;
 
+               /* Convert all the generic bits. */
+               security_acl_map_generic(sd->dacl, &file_generic_mapping);
+               security_acl_map_generic(sd->sacl, &file_generic_mapping);
+
                status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd);
 
                fsp->access_mask = saved_access_mask;