vfs_acl_common: check for ignore_system_acls before fetching filesystem ACL

If ignore_system_acls is set and we're synthesizing a default ACL, we
were fetching the filesystem ACL just to free it again. This change
avoids this.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit f46179ef7310959af095b0ea6234df7523d15457)

diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index dfe6d23bf44b9d5d925ad0de1bc579aadcce9019..15002ec5c5ada2c448fcb3b5022b81f1162bd7c3 100644 (file)
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -787,33 +787,56 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
                /* Get the full underlying sd, as we failed to get the
                 * blob for the hash, or the revision/hash type wasn't
                 * known */
-               if (fsp) {
-                       status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
-                                                         fsp,
-                                                         security_info,
-                                                         mem_ctx,
-                                                         &psd);
+
+               if (config->ignore_system_acls) {
+                       SMB_STRUCT_STAT sbuf;
+                       SMB_STRUCT_STAT *psbuf = &sbuf;
+
+                       status = stat_fsp_or_name(handle, fsp, name,
+                                                 &sbuf, &psbuf);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               goto fail;
+                       }
+
+                       status = make_default_filesystem_acl(
+                               mem_ctx,
+                               name,
+                               psbuf,
+                               &psd);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               goto fail;
+                       }
                } else {
-                       status = SMB_VFS_NEXT_GET_NT_ACL(handle,
-                                                        name,
-                                                        security_info,
-                                                        mem_ctx,
-                                                        &psd);
-               }
+                       if (fsp) {
+                               status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
+                                                                 fsp,
+                                                                 security_info,
+                                                                 mem_ctx,
+                                                                 &psd);
+                       } else {
+                               status = SMB_VFS_NEXT_GET_NT_ACL(handle,
+                                                                name,
+                                                                security_info,
+                                                                mem_ctx,
+                                                                &psd);
+                       }
 
-               if (!NT_STATUS_IS_OK(status)) {
-                       DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s "
-                                  "returned %s\n", name, nt_errstr(status)));
-                       goto fail;
-               }
+                       if (!NT_STATUS_IS_OK(status)) {
+                               DBG_DEBUG("get_next_acl for file %s "
+                                         "returned %s\n", name,
+                                         nt_errstr(status));
+                               goto fail;
+                       }
 
-               psd_is_from_fs = true;
+                       psd_is_from_fs = true;
+               }
        }
 
        if (psd_is_from_fs) {
                SMB_STRUCT_STAT sbuf;
                SMB_STRUCT_STAT *psbuf = &sbuf;
                bool is_directory = false;
+
                /*
                 * We're returning the underlying ACL from the
                 * filesystem. If it's a directory, and has no
@@ -828,34 +851,23 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
 
                is_directory = S_ISDIR(psbuf->st_ex_mode);
 
-               if (config->ignore_system_acls) {
-                       TALLOC_FREE(psd);
-                       status = make_default_filesystem_acl(mem_ctx,
-                                               name,
-                                               psbuf,
-                                               &psd);
+               if (is_directory && !sd_has_inheritable_components(psd, true)) {
+                       status = add_directory_inheritable_components(
+                               handle,
+                               name,
+                               psbuf,
+                               psd);
                        if (!NT_STATUS_IS_OK(status)) {
                                goto fail;
                        }
-               } else {
-                       if (is_directory &&
-                               !sd_has_inheritable_components(psd,
-                                                       true)) {
-                               status = add_directory_inheritable_components(
-                                                       handle,
-                                                       name,
-                                                       psbuf,
-                                                       psd);
-                               if (!NT_STATUS_IS_OK(status)) {
-                                       goto fail;
-                               }
-                       }
-                       /* The underlying POSIX module always sets
-                          the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
-                          can't be inherited in this way under POSIX.
-                          Remove it for Windows-style ACLs. */
-                       psd->type &= ~SEC_DESC_DACL_PROTECTED;
                }
+
+               /*
+                * The underlying POSIX module always sets the
+                * ~SEC_DESC_DACL_PROTECTED bit, as ACLs can't be inherited in
+                * this way under POSIX. Remove it for Windows-style ACLs.
+                */
+               psd->type &= ~SEC_DESC_DACL_PROTECTED;
        }
 
        if (!(security_info & SECINFO_OWNER)) {