s3 onefs: Fix ignore sacl parameter

diff --git a/source3/modules/onefs.h b/source3/modules/onefs.h
index bb7695800ebd11051b5b08b6df531fd501a5beb5..9d63021f42e160a1ffd2796f39b0621bcce68258 100644 (file)
--- a/source3/modules/onefs.h
+++ b/source3/modules/onefs.h
@@ -136,8 +136,9 @@ NTSTATUS onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
  * Utility functions
  */
 struct ifs_security_descriptor;
-NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
-                             struct ifs_security_descriptor *sd, int snum);
+NTSTATUS onefs_samba_sd_to_sd(uint32_t security_info_sent, SEC_DESC *psd,
+                             struct ifs_security_descriptor *sd, int snum,
+                             uint32_t *security_info_effective);
 
 NTSTATUS onefs_split_ntfs_stream_name(TALLOC_CTX *mem_ctx, const char *fname,
                                      char **pbase, char **pstream);

diff --git a/source3/modules/onefs_acl.c b/source3/modules/onefs_acl.c
index 8ee31abc889dd033a05ab654acd454506e12f7dd..d66e5d65fa9e72b687fab6b2816bb1e6667802c0 100644 (file)
--- a/source3/modules/onefs_acl.c
+++ b/source3/modules/onefs_acl.c
@@ -810,8 +810,9 @@ onefs_get_nt_acl(vfs_handle_struct *handle, const char* name,
  *
  * @return NTSTATUS_OK if successful
  */
-NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
-                             struct ifs_security_descriptor *sd, int snum)
+NTSTATUS onefs_samba_sd_to_sd(uint32_t security_info_sent, SEC_DESC *psd,
+                             struct ifs_security_descriptor *sd, int snum,
+                             uint32_t *security_info_effective)
 {
        struct ifs_security_acl *daclp, *saclp;
        struct ifs_identity owner, group, *ownerp, *groupp;
@@ -822,6 +823,8 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
        daclp = NULL;
        saclp = NULL;
 
+       *security_info_effective = security_info_sent;
+
        /* Setup owner */
        if (security_info_sent & OWNER_SECURITY_INFORMATION) {
                if (!onefs_og_to_identity(psd->owner_sid, &owner, false, snum))
@@ -849,7 +852,7 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
                        return NT_STATUS_ACCESS_DENIED;
 
                if (ignore_aces == true)
-                       security_info_sent &= ~DACL_SECURITY_INFORMATION;
+                       *security_info_effective &= ~DACL_SECURITY_INFORMATION;
        }
 
        /* Setup SACL */
@@ -857,8 +860,8 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
 
                if (lp_parm_bool(snum, PARM_ONEFS_TYPE,
                            PARM_IGNORE_SACLS, PARM_IGNORE_SACLS_DEFAULT)) {
-                       DEBUG(5, ("Ignoring SACLs.\n"));
-                       security_info_sent &= ~SACL_SECURITY_INFORMATION;
+                       DEBUG(5, ("Ignoring SACL.\n"));
+                       *security_info_effective &= ~SACL_SECURITY_INFORMATION;
                } else {
                        if (psd->sacl) {
                                if (!onefs_samba_acl_to_acl(psd->sacl,
@@ -866,7 +869,7 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
                                        return NT_STATUS_ACCESS_DENIED;
 
                                if (ignore_aces == true) {
-                                       security_info_sent &=
+                                       *security_info_effective &=
                                            ~SACL_SECURITY_INFORMATION;
                                }
                        }
@@ -879,6 +882,9 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
                (daclp ? &daclp : NULL), (saclp ? &saclp : NULL), false))
                return NT_STATUS_ACCESS_DENIED;
 
+       DEBUG(10, ("sec_info_sent: 0x%x, sec_info_effective: 0x%x.\n",
+                  security_info_sent, *security_info_effective));
+
        return NT_STATUS_OK;
 }
 
@@ -890,19 +896,20 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
  */
 NTSTATUS
 onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
-                 uint32 security_info_sent, SEC_DESC *psd)
+                 uint32_t sec_info_sent, SEC_DESC *psd)
 {
        struct ifs_security_descriptor sd = {};
        int fd = -1;
        bool fopened = false;
        NTSTATUS status;
+       uint32_t sec_info_effective = 0;
 
        START_PROFILE(syscall_set_sd);
 
        DEBUG(5,("Setting SD on file %s.\n", fsp->fsp_name ));
 
-       status = onefs_samba_sd_to_sd(security_info_sent, psd, &sd,
-                                     SNUM(handle->conn));
+       status = onefs_samba_sd_to_sd(sec_info_sent, psd, &sd,
+                                     SNUM(handle->conn), &sec_info_effective);
 
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(3, ("SD initialization failure: %s\n", nt_errstr(status)));
@@ -911,6 +918,7 @@ onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
 
        fd = fsp->fh->fd;
        if (fd == -1) {
+               DEBUG(10,("Reopening file %s.\n", fsp->fsp_name));
                if ((fd = onefs_sys_create_file(handle->conn,
                                                -1,
                                                fsp->fsp_name,
@@ -934,8 +942,9 @@ onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
        }
 
         errno = 0;
-       if (ifs_set_security_descriptor(fd, security_info_sent, &sd)) {
-               DEBUG(0, ("Error setting security descriptor = %d\n", errno));
+       if (ifs_set_security_descriptor(fd, sec_info_effective, &sd)) {
+               DEBUG(0, ("Error setting security descriptor = %s\n",
+                         strerror(errno)));
                status = map_nt_error_from_unix(errno);
                goto out;
        }

diff --git a/source3/modules/onefs_open.c b/source3/modules/onefs_open.c
index f315b34c8bc1af42daafc56ce3b740ea7aa3a4f1..5d7b42281c46aa23710d68d35a8485d0fbe19789 100644 (file)
--- a/source3/modules/onefs_open.c
+++ b/source3/modules/onefs_open.c
@@ -719,11 +719,6 @@ NTSTATUS onefs_open_file_ntcreate(connection_struct *conn,
                open_access_mask |= FILE_WRITE_DATA;
        }
 
-       if (lp_parm_bool(SNUM(fsp->conn), PARM_ONEFS_TYPE,
-               PARM_IGNORE_SACLS, PARM_IGNORE_SACLS_DEFAULT)) {
-               access_mask &= ~SYSTEM_SECURITY_ACCESS;
-       }
-
        DEBUG(10, ("onefs_open_file_ntcreate: fname=%s, after mapping "
                   "open_access_mask=%#x, access_mask=0x%x\n",
                   fname, open_access_mask, access_mask));
@@ -1684,6 +1679,11 @@ static NTSTATUS onefs_create_file_unixpath(connection_struct *conn,
                }
        }
 
+       if (lp_parm_bool(SNUM(conn), PARM_ONEFS_TYPE,
+               PARM_IGNORE_SACLS, PARM_IGNORE_SACLS_DEFAULT)) {
+               access_mask &= ~SYSTEM_SECURITY_ACCESS;
+       }
+
        if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
            && (access_mask & DELETE_ACCESS)
            && !is_ntfs_stream_name(fname)) {

diff --git a/source3/modules/onefs_system.c b/source3/modules/onefs_system.c
index 22ef2f481b82fcddab7fd599a1d4773bed3b59db..3e51c6cd85b19717d13ebd2f5ef5fa81d004b5f7 100644 (file)
--- a/source3/modules/onefs_system.c
+++ b/source3/modules/onefs_system.c
@@ -94,7 +94,7 @@ int onefs_sys_create_file(connection_struct *conn,
        enum oplock_type onefs_oplock;
        enum oplock_type onefs_granted_oplock = OPLOCK_NONE;
        struct ifs_security_descriptor ifs_sd = {}, *pifs_sd = NULL;
-       int secinfo = 0;
+       uint32_t sec_info_effective = 0;
        int ret_fd = -1;
        uint32_t onefs_dos_attributes;
        struct ifs_createfile_flags cf_flags = CF_FLAGS_NONE;
@@ -104,10 +104,12 @@ int onefs_sys_create_file(connection_struct *conn,
        /* Setup security descriptor and get secinfo. */
        if (sd != NULL) {
                NTSTATUS status;
+               uint32_t sec_info_sent = 0;
 
-               secinfo = (get_sec_info(sd) & IFS_SEC_INFO_KNOWN_MASK);
+               sec_info_sent = (get_sec_info(sd) & IFS_SEC_INFO_KNOWN_MASK);
 
-               status = onefs_samba_sd_to_sd(secinfo, sd, &ifs_sd, SNUM(conn));
+               status = onefs_samba_sd_to_sd(sec_info_sent, sd, &ifs_sd,
+                                             SNUM(conn), &sec_info_effective);
 
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(1, ("SD initialization failure: %s\n",
@@ -172,7 +174,7 @@ int onefs_sys_create_file(connection_struct *conn,
                  (unsigned int)mode,
                  onefs_oplock_str(onefs_oplock),
                  (unsigned int)id,
-                 (unsigned int)secinfo, sd,
+                 sec_info_effective, sd,
                  (unsigned int)onefs_dos_attributes, path,
                  cf_flags_and_bool(cf_flags, CF_FLAGS_DEFAULT_ACL) ?
                      "true" : "false"));
@@ -188,8 +190,8 @@ int onefs_sys_create_file(connection_struct *conn,
 
        ret_fd = ifs_createfile(base_fd, path,
            (enum ifs_ace_rights)open_access_mask, flags & ~O_ACCMODE, mode,
-           onefs_oplock, id, psml, secinfo, pifs_sd, onefs_dos_attributes,
-           cf_flags, &onefs_granted_oplock);
+           onefs_oplock, id, psml, sec_info_effective, pifs_sd,
+           onefs_dos_attributes, cf_flags, &onefs_granted_oplock);
 
        DEBUG(10,("onefs_sys_create_file(%s): ret_fd = %d, "
                  "onefs_granted_oplock = %s\n",