s3-smbd: Consider a group with the same SID as sufficient duplication
authorAndrew Bartlett <abartlet@samba.org>
Thu, 10 May 2012 01:05:41 +0000 (11:05 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 17 May 2012 01:17:05 +0000 (03:17 +0200)
This code is to ensure that the user does not loose rights when their file
ownership is taken away.  If the owner (an IDMAP_BOTH SID) appears as a group
then a duplicate user is not required.

Signed-off-by: Jeremy Allison <jra@samba.org>
source3/smbd/posix_acls.c

index 6e97dcf873e13ed0c0feda8f1a86df31c40f407f..99e915678ab1d27d616a1bbc826097e194365e7d 100644 (file)
@@ -1525,6 +1525,13 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
                                        pace->unix_ug.gid == pace_user->unix_ug.gid) {
                                /* Already got one. */
                                got_duplicate_group = true;
+                       } else if ((pace->type == SMB_ACL_GROUP)
+                                  && (dom_sid_equal(&pace->trustee, &pace_user->trustee))) {
+                               /* If the SID owning the file appears
+                                * in a group entry, then we have
+                                * enough duplication, they will still
+                                * have access */
+                               got_duplicate_user = true;
                        }
                }