The branch, v4-20-test has been updated
       via  db658c40f5d s3:utils: Fix Inherit-Only flag being automatically 
propagated to children
       via  d28a889aed2 python/samba/tests/blackbox: Add tests for Inherit-only 
flag propagation
      from  83da49f3489 tests: Add a test for "all_groups=no" to 
test_idmap_ad.sh

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -----------------------------------------------------------------
commit db658c40f5d8aeef9dcc190753b7d14b1fa3f5fb
Author: Anna Popova <popova.anna...@gmail.com>
Date:   Fri Apr 12 17:32:37 2024 +0300

    s3:utils: Fix Inherit-Only flag being automatically propagated to children
    
    Inherit-only flag applies only to the container it was set to and it
    shouldn't be automatically propagated to children.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636
    
    Signed-off-by: Anna Popova <popova.anna...@gmail.com>
    Reviewed-by: Noel Power <noel.po...@suse.com>
    Reviewed-by: Ralph Boehme <s...@samba.org>
    
    Autobuild-User(master): Ralph Böhme <s...@samba.org>
    Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224
    
    (cherry picked from commit 80159018e411c643fbfe7ef82bd33e30b6147901)
    
    Autobuild-User(v4-20-test): Jule Anger <jan...@samba.org>
    Autobuild-Date(v4-20-test): Tue May  7 08:52:48 UTC 2024 on atb-devel-224

commit d28a889aed25ac98ba4ef34b26190224e5ebe907
Author: yuzu367 <popova.anna...@gmail.com>
Date:   Thu Apr 11 11:31:07 2024 +0300

    python/samba/tests/blackbox: Add tests for Inherit-only flag propagation
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636
    
    Signed-off-by: Anna Popova <popova.anna...@gmail.com>
    Reviewed-by: Noel Power <noel.po...@suse.com>
    Reviewed-by: Ralph Boehme <s...@samba.org>
    (cherry picked from commit eba2bfde347041a395f0fbd3c57235be63b1890d)

-----------------------------------------------------------------------

Summary of changes:
 .../blackbox/smbcacls_propagate_inhertance.py      | 108 +++++++++++++++++++++
 source3/utils/smbcacls.c                           |   4 +
 2 files changed, 112 insertions(+)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py 
b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
index cc13727b8fb..5b3a27111d5 100644
--- a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
+++ b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
@@ -1288,3 +1288,111 @@ class 
InheritanceSmbCaclsTests(SmbCaclsBlockboxTestBase):
 
         except BlackboxProcessError as e:
             self.fail(str(e))
+
+    def test_simple_iocioi_add(self):
+        """test smbcacls '--propagate-inheritance --add' which attempts to add 
the ACL
+        for the file and additionally use inheritance rules to propagate 
appropriate
+        changes to children
+
+        This test adds an ACL with (IO)(CI)(OI)(READ)
+
+        before:
+
+        +-tar_test_dir/    (OI)(CI)(I)(F)
+          +-oi_dir/        (OI)(CI)(I)(F)
+          | +-file.1            (I)(F)
+          | +-nested/      (OI)(CI)(I)(F)
+          |   +-file.2          (I)(F)
+          |   +-nested_again/     (OI)(CI)(I)(F)
+          |     +-file.3          (I)(F)
+
+        after/expected:
+
+        +-tar_test_dir/    (OI)(CI)(I)(F)
+          +-oi_dir/        (OI)(CI)(I)(F), (IO)(CI)(OI)(READ)
+          | +-file.1            (I)(F), (I)(READ)
+          | +-nested/      (OI)(CI)(I)(F), (I)(CI)(OI)(READ)
+          |   +-file.2          (I)(F), (I)(READ)
+          |   +-nested_again/     (OI)(CI)(I)(F), (I)(CI)(OI)(READ)
+          |     +-file.3          (I)(F), (I)(READ)"""
+
+        dir_add_acl_str = "ACL:%s:ALLOWED/OI|CI|IO/READ" % self.user
+        obj_inherited_ace_str = "ACL:%s:ALLOWED/I/READ" % self.user
+        dir_inherited_ace_str = "ACL:%s:ALLOWED/OI|CI|I/READ" % self.user
+
+        try:
+
+            self.smb_cacls(["--propagate-inheritance", "--add",
+                            dir_add_acl_str, self.oi_dir])
+
+            # check top level container 'oi_dir' has IO|CI|OI/READ
+            dir_ace = self.ace_parse_str(dir_add_acl_str)
+            self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace))
+
+            # file 'oi_dir/file-1' should  have inherited I/READ
+            child_file_ace = self.ace_parse_str(obj_inherited_ace_str)
+            self.assertTrue(self.file_ace_check(self.f1, child_file_ace))
+
+            # nested dir  'oi_dir/nested/' should have I|CI|OI/READ
+            child_dir_ace = self.ace_parse_str(dir_inherited_ace_str)
+            self.assertTrue(self.file_ace_check(self.nested_dir, 
child_dir_ace))
+
+            # nested file 'oi_dir/nested/file-2' should  have inherited I/READ
+            self.assertTrue(self.file_ace_check(self.f2, child_file_ace))
+
+            # nested_again dir  'oi_dir/nested/nested_again' should have 
I|CI|OI/READ
+            child_dir_ace = self.ace_parse_str(dir_inherited_ace_str)
+            self.assertTrue(self.file_ace_check(self.nested_again_dir, 
child_dir_ace))
+            # nested_again file 'oi_dir/nested/nested_again/file-3' should  
have inherited I/READ
+            self.assertTrue(self.file_ace_check(self.f3, child_file_ace))
+        except BlackboxProcessError as e:
+            self.fail(str(e))
+
+    def test_simple_ioci_add(self):
+        """test smbcacls '--propagate-inheritance --add' which attempts to add 
the ACL
+        for the file and additionally use inheritance rules to propagate 
appropriate
+        changes to children
+
+        This test adds an ACL with (IO)(CI)(READ)
+
+        before:
+
+        +-tar_test_dir/    (OI)(CI)(I)(F)
+          +-oi_dir/        (OI)(CI)(I)(F)
+          | +-file.1            (I)(F)
+          | +-nested/      (OI)(CI)(I)(F)
+          |   +-file.2          (I)(F)
+          |   +-nested_again/     (OI)(CI)(I)(F)
+          |     +-file.3          (I)(F)
+
+        after/expected:
+
+        +-tar_test_dir/    (OI)(CI)(I)(F)
+          +-oi_dir/        (OI)(CI)(I)(F), (IO)(CI)(READ)
+          | +-file.1            (I)(F)
+          | +-nested/      (OI)(CI)(I)(F), (I)(CI)(READ)
+          |   +-file.2          (I)(F)
+          |   +-nested_again/     (OI)(CI)(I)(F), (I)(CI)(READ)
+          |     +-file.3          (I)(F)"""
+
+        dir_add_acl_str = "ACL:%s:ALLOWED/CI|IO/READ" % self.user
+        dir_inherited_ace_str = "ACL:%s:ALLOWED/CI|I/READ" % self.user
+
+        try:
+
+            self.smb_cacls(["--propagate-inheritance", "--add",
+                            dir_add_acl_str, self.oi_dir])
+
+            # check top level container 'oi_dir' has IO|CI/READ
+            dir_ace = self.ace_parse_str(dir_add_acl_str)
+            self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace))
+
+            # nested dir  'oi_dir/nested/' should have I|CI/READ
+            child_dir_ace = self.ace_parse_str(dir_inherited_ace_str)
+            self.assertTrue(self.file_ace_check(self.nested_dir, 
child_dir_ace))
+
+            # nested_again dir  'oi_dir/nested/nested_again' should have 
I|CI/READ
+            child_dir_ace = self.ace_parse_str(dir_inherited_ace_str)
+            self.assertTrue(self.file_ace_check(self.nested_again_dir, 
child_dir_ace))
+        except BlackboxProcessError as e:
+            self.fail(str(e))
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
index ff11ba4d7d7..e0591ac076b 100644
--- a/source3/utils/smbcacls.c
+++ b/source3/utils/smbcacls.c
@@ -914,6 +914,10 @@ static uint8_t get_flags_to_propagate(bool is_container,
        /* Assume we are not propagating the ACE */
 
        newflags &= ~SEC_ACE_FLAG_INHERITED_ACE;
+
+       /* Inherit-only flag is not propagated to children */
+
+       newflags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
        /* all children need to have the SEC_ACE_FLAG_INHERITED_ACE set */
        if (acl_cntrinherit || acl_objinherit) {
                /*


-- 
Samba Shared Repository

Reply via email to