The branch, master has been updated
via 813bf8b4f463199b7c2d3cddab7056b8a68a0b70 (commit)
from 5a33e906f651ea84ec909fd6453e13a9489bd391 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 813bf8b4f463199b7c2d3cddab7056b8a68a0b70
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date: Sat Nov 8 22:57:57 2008 -0800
Fix a subtle logic bug in the adaption of se_create_child_secdesc(), pass
RAW-ACL inheritance tests. Only access masks for SD get/set left to fix.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/lib/secdesc.c | 3 +++
source3/modules/vfs_acl_xattr.c | 21 ++++++++++++++++++++-
source4/torture/raw/acls.c | 23 ++++++++++++++++++-----
3 files changed, 41 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index de547d8..df85336 100644
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -546,6 +546,9 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
ptrustee = creator;
new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+ } else if (container &&
+ !(ace->flags &
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
+ ptrustee = &ace->trustee;
}
init_sec_ace(new_ace, ptrustee, ace->type,
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 209209d..a5d9395 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -363,10 +363,18 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
status = get_nt_acl_xattr_internal(handle,
NULL,
parent_name,
- DACL_SECURITY_INFORMATION,
+ (OWNER_SECURITY_INFORMATION |
+ GROUP_SECURITY_INFORMATION |
+ DACL_SECURITY_INFORMATION),
&parent_desc);
if (NT_STATUS_IS_OK(status)) {
/* Create an inherited descriptor from the parent. */
+
+ if (DEBUGLEVEL >= 10) {
+ DEBUG(10,("inherit_new_acl: parent acl is:\n"));
+ NDR_PRINT_DEBUG(security_descriptor, parent_desc);
+ }
+
status = se_create_child_secdesc(ctx,
&psd,
&size,
@@ -377,6 +385,12 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+
+ if (DEBUGLEVEL >= 10) {
+ DEBUG(10,("inherit_new_acl: child acl is:\n"));
+ NDR_PRINT_DEBUG(security_descriptor, psd);
+ }
+
} else {
DEBUG(10,("inherit_new_acl: directory %s failed "
"to get acl %s\n",
@@ -401,6 +415,11 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
if (!psd) {
return NT_STATUS_NO_MEMORY;
}
+
+ if (DEBUGLEVEL >= 10) {
+ DEBUG(10,("inherit_new_acl: default acl is:\n"));
+ NDR_PRINT_DEBUG(security_descriptor, psd);
+ }
}
status = create_acl_blob(psd, &blob);
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index d76454d..f6c690b 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -1457,7 +1457,9 @@ static bool test_inheritance(struct torture_context *tctx,
(!(test_flags[i].parent_flags &
SEC_ACE_FLAG_OBJECT_INHERIT) ||
(test_flags[i].parent_flags &
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT))) {
if (!security_descriptor_equal(q.query_secdesc.out.sd,
sd_def)) {
- printf("Expected default sd for dir at %d -
got:\n", i);
+ printf("Expected default sd for dir at %d:\n",
i);
+ NDR_PRINT_DEBUG(security_descriptor, sd_def);
+ printf("got:\n");
NDR_PRINT_DEBUG(security_descriptor,
q.query_secdesc.out.sd);
}
continue;
@@ -1471,7 +1473,7 @@ static bool test_inheritance(struct torture_context *tctx,
!dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
sd_orig->owner_sid) ||
q.query_secdesc.out.sd->dacl->aces[0].flags !=
test_flags[i].dir_flags) {
- printf("Bad sd in child dir at %d (parent
0x%x)\n",
+ printf("(CI & NP) Bad sd in child dir at %d
(parent 0x%x)\n",
i, test_flags[i].parent_flags);
NDR_PRINT_DEBUG(security_descriptor,
q.query_secdesc.out.sd);
ret = false;
@@ -1489,7 +1491,7 @@ static bool test_inheritance(struct torture_context *tctx,
q.query_secdesc.out.sd->dacl->aces[0].flags != 0 ||
q.query_secdesc.out.sd->dacl->aces[1].flags !=
(test_flags[i].dir_flags |
SEC_ACE_FLAG_INHERIT_ONLY)) {
- printf("Bad sd in child dir at %d (parent
0x%x)\n",
+ printf("(CI) Bad sd in child dir at %d (parent
0x%x)\n",
i, test_flags[i].parent_flags);
NDR_PRINT_DEBUG(security_descriptor,
q.query_secdesc.out.sd);
ret = false;
@@ -1502,8 +1504,19 @@ static bool test_inheritance(struct torture_context
*tctx,
!dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
creator_owner) ||
q.query_secdesc.out.sd->dacl->aces[0].flags !=
test_flags[i].dir_flags) {
- printf("Bad sd in child dir at %d (parent
0x%x)\n",
- i, test_flags[i].parent_flags);
+ printf("FAIL. t1 = %d, t2 = %d, t3 = %d, t4 =
%d, t5 = %d\n",
+ q.query_secdesc.out.sd->dacl == NULL,
+ q.query_secdesc.out.sd->dacl->num_aces
!= 1,
+
q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA,
+
!dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
+ creator_owner),
+
q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].dir_flags);
+
+ printf("(0) Bad sd in child dir at %d (parent
0x%x) flags = 0x%x dir_flags=0x%x\n",
+ i,
+ test_flags[i].parent_flags,
+
q.query_secdesc.out.sd->dacl->aces[0].flags,
+ test_flags[i].dir_flags);
NDR_PRINT_DEBUG(security_descriptor,
q.query_secdesc.out.sd);
ret = false;
continue;
--
Samba Shared Repository
