Patch from SATOH Fumiyasu <fumiyas@osstech.co.jp> for bug #5202. Re-activate "acl...

parameter and make it only apply to owning group. Also added man page fix.
Jeremy.

diff --git a/docs-xml/smbdotconf/misc/dosfilemode.xml b/docs-xml/smbdotconf/misc/dosfilemode.xml
index ae3b475107b1bac2151bde2208f82838bdb5182b..e67ccd935a58966940dcef9110beb3025d3282cc 100644 (file)
--- a/docs-xml/smbdotconf/misc/dosfilemode.xml
+++ b/docs-xml/smbdotconf/misc/dosfilemode.xml
@@ -3,15 +3,16 @@
                 type="boolean"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
                 type="boolean"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>

-       <para> The default behavior in Samba is to provide 
-       UNIX-like behavior where only the owner of a file/directory is 
+       <para> The default behavior in Samba is to provide
+       UNIX-like behavior where only the owner of a file/directory is

        able to change the permissions on it.  However, this behavior
        able to change the permissions on it.  However, this behavior

-       is often confusing to  DOS/Windows users.  Enabling this parameter 
-       allows a user who has write access to the file (by whatever 
-       means) to modify the permissions (including ACL) on it.  Note that a user
-       belonging to the group owning the file will not be allowed to
-       change permissions if the group is only granted read access.
-       Ownership of the file/directory may also be changed.</para>
+       is often confusing to  DOS/Windows users.  Enabling this parameter
+       allows a user who has write access to the file (by whatever
+       means, including an ACL permission) to modify the permissions
+       (including ACL) on it. Note that a user belonging to the group
+       owning the file will not be allowed to change permissions if
+       the group is only granted read access. Ownership of the
+       file/directory may also be changed.</para>

 </description>
 <value type="default">no</value>
 </samba:parameter>
 </description>
 <value type="default">no</value>
 </samba:parameter>

diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
index e2600ca9da5fe7b851c5d92890f24cf90602d206..6efd46dd8dc6434801a3526f3abe7f733fe4884d 100644 (file)
--- a/docs-xml/smbdotconf/security/aclgroupcontrol.xml
+++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
@@ -30,8 +30,10 @@
        </para>
 
        <para>
        </para>
 
        <para>

-       This is parameter has been marked deprecated in Samba 3.0.23.  The same behavior is now
-       implemented by the <parameter moreinfo="none">dos filemode</parameter> option.
+       This is parameter has been was deprecated in Samba 3.0.23, but re-activated in
+       Samba 3.0.31 and above, as it now only controls permission changes if the user
+       is in the owning primary group. It is now no longer equivalent to the
+       <parameter moreinfo="none">dos filemode</parameter> option.

        </para>
 
 </description>
        </para>
 
 </description>

diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index 4f44088c8f61227526fe76b150dda96f810df1c3..85f021763f74ca930b1cda45ad930993138e2a64 100644 (file)
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -922,7 +922,7 @@ static struct parm_struct parm_table[] = {
        {"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, FLAG_HIDE}, 
 
        {"acl check permissions", P_BOOL, P_LOCAL, &sDefault.bAclCheckPermissions, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
        {"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, FLAG_HIDE}, 
 
        {"acl check permissions", P_BOOL, P_LOCAL, &sDefault.bAclCheckPermissions, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},

-       {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED },
+       {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE },

        {"acl map full control", P_BOOL, P_LOCAL, &sDefault.bAclMapFullControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
        {"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, 
        {"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_HIDE}, 
        {"acl map full control", P_BOOL, P_LOCAL, &sDefault.bAclMapFullControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
        {"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, 
        {"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_HIDE}, 

diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index f40a344124ebca5b498306d3e16b5cbf3c5e4d42..9913d5aead6ccc8d47e2f9afbdb217c635e97fb8 100644 (file)
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -2289,18 +2289,26 @@ static BOOL current_user_in_group(gid_t gid)
 }
 
 /****************************************************************************
 }
 
 /****************************************************************************

- Should we override a deny ?  Check deprecated 'acl group control'
- and 'dos filemode'
+ Should we override a deny ?  Check 'acl group control' and 'dos filemode'

 ****************************************************************************/
 
 ****************************************************************************/
 

-static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid)
+static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid, const char *fname)

 {
 {

-       if ( (errno == EACCES || errno == EPERM) 
-               && (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn)))
-               && current_user_in_group(prim_gid)) 
-       {
+       SMB_STRUCT_STAT sbuf;
+
+       if ((errno != EPERM) && (errno != EACCES)) {
+               return False;
+       }
+
+       /* file primary group == user primary or supplementary group */
+       if (lp_acl_group_control(SNUM(conn)) && current_user_in_group(prim_gid)) {

                return True;
                return True;

-       } 
+       }
+
+       /* user has writeable permission */
+       if (lp_dos_filemode(SNUM(conn)) && can_write_to_file(conn, fname, &sbuf)) {
+               return True;
+       }

 
        return False;
 }
 
        return False;
 }


@@ -2488,7 +2496,7 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
                                *pacl_set_support = False;
                        }
 
                                *pacl_set_support = False;
                        }
 

-                       if (acl_group_override(conn, prim_gid)) {
+                       if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {

                                int sret;
 
                                DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
                                int sret;
 
                                DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",


@@ -2519,7 +2527,7 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
                                *pacl_set_support = False;
                        }
 
                                *pacl_set_support = False;
                        }
 

-                       if (acl_group_override(conn, prim_gid)) {
+                       if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {

                                int sret;
 
                                DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
                                int sret;
 
                                DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",


@@ -3477,7 +3485,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
                                        if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) {
                                                int sret = -1;
 
                                        if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) {
                                                int sret = -1;
 

-                                               if (acl_group_override(conn, sbuf.st_gid)) {
+                                               if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {

                                                        DEBUG(5,("set_nt_acl: acl group control on and "
                                                                "current user in file %s primary group. Override delete_def_acl\n",
                                                                fsp->fsp_name ));
                                                        DEBUG(5,("set_nt_acl: acl group control on and "
                                                                "current user in file %s primary group. Override delete_def_acl\n",
                                                                fsp->fsp_name ));


@@ -3524,7 +3532,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
 
                                        if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) {
                                                int sret = -1;
 
                                        if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) {
                                                int sret = -1;

-                                               if (acl_group_override(conn, sbuf.st_gid)) {
+                                               if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {

                                                        DEBUG(5,("set_nt_acl: acl group control on and "
                                                                "current user in file %s primary group. Override chmod\n",
                                                                fsp->fsp_name ));
                                                        DEBUG(5,("set_nt_acl: acl group control on and "
                                                                "current user in file %s primary group. Override chmod\n",
                                                                fsp->fsp_name ));