From f23bb1348cb7bcedb742de9dcb523d80a6f66e15 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 24 Aug 2016 10:43:47 +0200 Subject: [PATCH] vfs_acl_common: check for ignore_system_acls before fetching filesystem ACL If ignore_system_acls is set and we're synthesizing a default ACL, we were fetching the filesystem ACL just to free it again. This change avoids this. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (backported from commit f46179ef7310959af095b0ea6234df7523d15457) --- source3/modules/vfs_acl_common.c | 96 ++++++++++++++++++-------------- 1 file changed, 54 insertions(+), 42 deletions(-) diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index dfe6d23bf44..15002ec5c5a 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -787,33 +787,56 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle, /* Get the full underlying sd, as we failed to get the * blob for the hash, or the revision/hash type wasn't * known */ - if (fsp) { - status = SMB_VFS_NEXT_FGET_NT_ACL(handle, - fsp, - security_info, - mem_ctx, - &psd); + + if (config->ignore_system_acls) { + SMB_STRUCT_STAT sbuf; + SMB_STRUCT_STAT *psbuf = &sbuf; + + status = stat_fsp_or_name(handle, fsp, name, + &sbuf, &psbuf); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + status = make_default_filesystem_acl( + mem_ctx, + name, + psbuf, + &psd); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } } else { - status = SMB_VFS_NEXT_GET_NT_ACL(handle, - name, - security_info, - mem_ctx, - &psd); - } + if (fsp) { + status = SMB_VFS_NEXT_FGET_NT_ACL(handle, + fsp, + security_info, + mem_ctx, + &psd); + } else { + status = SMB_VFS_NEXT_GET_NT_ACL(handle, + name, + security_info, + mem_ctx, + &psd); + } - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s " - "returned %s\n", name, nt_errstr(status))); - goto fail; - } + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("get_next_acl for file %s " + "returned %s\n", name, + nt_errstr(status)); + goto fail; + } - psd_is_from_fs = true; + psd_is_from_fs = true; + } } if (psd_is_from_fs) { SMB_STRUCT_STAT sbuf; SMB_STRUCT_STAT *psbuf = &sbuf; bool is_directory = false; + /* * We're returning the underlying ACL from the * filesystem. If it's a directory, and has no @@ -828,34 +851,23 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle, is_directory = S_ISDIR(psbuf->st_ex_mode); - if (config->ignore_system_acls) { - TALLOC_FREE(psd); - status = make_default_filesystem_acl(mem_ctx, - name, - psbuf, - &psd); + if (is_directory && !sd_has_inheritable_components(psd, true)) { + status = add_directory_inheritable_components( + handle, + name, + psbuf, + psd); if (!NT_STATUS_IS_OK(status)) { goto fail; } - } else { - if (is_directory && - !sd_has_inheritable_components(psd, - true)) { - status = add_directory_inheritable_components( - handle, - name, - psbuf, - psd); - if (!NT_STATUS_IS_OK(status)) { - goto fail; - } - } - /* The underlying POSIX module always sets - the ~SEC_DESC_DACL_PROTECTED bit, as ACLs - can't be inherited in this way under POSIX. - Remove it for Windows-style ACLs. */ - psd->type &= ~SEC_DESC_DACL_PROTECTED; } + + /* + * The underlying POSIX module always sets the + * ~SEC_DESC_DACL_PROTECTED bit, as ACLs can't be inherited in + * this way under POSIX. Remove it for Windows-style ACLs. + */ + psd->type &= ~SEC_DESC_DACL_PROTECTED; } if (!(security_info & SECINFO_OWNER)) { -- 2.47.2