diff --git a/include/ntfs-3g/acls.h b/include/ntfs-3g/acls.h index 4b083886..38d2cd64 100644 --- a/include/ntfs-3g/acls.h +++ b/include/ntfs-3g/acls.h @@ -170,6 +170,9 @@ int ntfs_merge_mode_posix(struct POSIX_SECURITY *pxdesc, mode_t mode); struct POSIX_SECURITY *ntfs_build_inherited_posix( const struct POSIX_SECURITY *pxdesc, mode_t mode, mode_t umask, BOOL isdir); +struct POSIX_SECURITY *ntfs_build_basic_posix( + const struct POSIX_SECURITY *pxdesc, mode_t mode, + mode_t umask, BOOL isdir); struct POSIX_SECURITY *ntfs_replace_acl(const struct POSIX_SECURITY *oldpxdesc, const struct POSIX_ACL *newacl, int count, BOOL deflt); struct POSIX_SECURITY *ntfs_build_permissions_posix( diff --git a/libntfs-3g/acls.c b/libntfs-3g/acls.c index 0de025f2..422e75b9 100644 --- a/libntfs-3g/acls.c +++ b/libntfs-3g/acls.c @@ -1303,6 +1303,45 @@ struct POSIX_SECURITY *ntfs_replace_acl(const struct POSIX_SECURITY *oldpxdesc, return (newpxdesc); } +struct POSIX_SECURITY *ntfs_build_basic_posix( + const struct POSIX_SECURITY *pxdesc __attribute__((unused)), + mode_t mode, mode_t mask, BOOL isdir __attribute__((unused))) +{ + struct POSIX_SECURITY *pydesc; + struct POSIX_ACE *pyace; + + pydesc = (struct POSIX_SECURITY*)malloc( + sizeof(struct POSIX_SECURITY) + 3*sizeof(struct POSIX_ACE)); + if (pydesc) { + /* + * Copy inherited tags and adapt perms + * Use requested mode, ignoring umask + * (not possible with older versions of fuse) + */ + pyace = &pydesc->acl.ace[0]; + pyace->tag = POSIX_ACL_USER_OBJ; + pyace->perms = ((mode & ~mask) >> 6) & 7; + pyace->id = -1; + pyace = &pydesc->acl.ace[1]; + pyace->tag = POSIX_ACL_GROUP_OBJ; + pyace->perms = ((mode & ~mask) >> 3) & 7; + pyace->id = -1; + pyace = &pydesc->acl.ace[2]; + pyace->tag = POSIX_ACL_OTHER; + pyace->perms = (mode & ~mask) & 7; + pyace->id = -1; + pydesc->mode = mode; + pydesc->tagsset = POSIX_ACL_USER_OBJ + | POSIX_ACL_GROUP_OBJ + | POSIX_ACL_OTHER; + pydesc->acccnt = 3; + pydesc->defcnt = 0; + pydesc->firstdef = 6; + } else + errno = ENOMEM; + return (pydesc); +} + /* * Build an inherited Posix descriptor from parent * descriptor (if any) restricted to creation mode diff --git a/libntfs-3g/security.c b/libntfs-3g/security.c index 58bbb27e..11b74601 100644 --- a/libntfs-3g/security.c +++ b/libntfs-3g/security.c @@ -2503,8 +2503,12 @@ static struct POSIX_SECURITY *inherit_posix(struct SECURITY_CONTEXT *scx, gid = cached->gid; pxdesc = cached->pxdesc; if (pxdesc) { - pydesc = ntfs_build_inherited_posix(pxdesc,mode, - scx->umask,isdir); + if (scx->vol->secure_flags & (1 << SECURITY_ACL)) + pydesc = ntfs_build_inherited_posix(pxdesc, + mode, scx->umask, isdir); + else + pydesc = ntfs_build_basic_posix(pxdesc, + mode, scx->umask, isdir); } } else { securattr = getsecurityattr(scx->vol, dir_ni); @@ -2548,8 +2552,15 @@ static struct POSIX_SECURITY *inherit_posix(struct SECURITY_CONTEXT *scx, enter_cache(scx, dir_ni, uid, gid, pxdesc); } - pydesc = ntfs_build_inherited_posix(pxdesc, - mode, scx->umask, isdir); + if (scx->vol->secure_flags + & (1 << SECURITY_ACL)) + pydesc = ntfs_build_inherited_posix( + pxdesc, mode, + scx->umask, isdir); + else + pydesc = ntfs_build_basic_posix( + pxdesc, mode, + scx->umask, isdir); free(pxdesc); } free(securattr); diff --git a/src/lowntfs-3g.c b/src/lowntfs-3g.c index 04a239c5..273ff34a 100644 --- a/src/lowntfs-3g.c +++ b/src/lowntfs-3g.c @@ -2698,6 +2698,7 @@ static ntfs_inode *ntfs_check_access_xattr(fuse_req_t req, if (((!ntfs_fuse_fill_security_context(req, security) || (ctx->secure_flags & ((1 << SECURITY_DEFAULT) | (1 << SECURITY_RAW)))) + || !(ctx->secure_flags & (1 << SECURITY_ACL)) || (setting && ctx->inherit)) && foracl) { if (ctx->silent) diff --git a/src/ntfs-3g.c b/src/ntfs-3g.c index 558d2577..94bb1383 100644 --- a/src/ntfs-3g.c +++ b/src/ntfs-3g.c @@ -2536,6 +2536,7 @@ static ntfs_inode *ntfs_check_access_xattr(struct SECURITY_CONTEXT *security, if (((!ntfs_fuse_fill_security_context(security) || (ctx->secure_flags & ((1 << SECURITY_DEFAULT) | (1 << SECURITY_RAW)))) + || !(ctx->secure_flags & (1 << SECURITY_ACL)) || (setting && ctx->inherit)) && foracl) { if (ctx->silent)