diff options
author | Jeremy Allison <jra@samba.org> | 2008-11-03 22:42:53 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2008-11-03 22:42:53 -0800 |
commit | 4f8fac1b8e1d185f732c32f20e3b7060e3835435 (patch) | |
tree | 3c44cae7836d9cf7819f25ab62118055d2e8ad80 | |
parent | 31158c02568c28507a8a405328c457d144ac6829 (diff) | |
download | samba-4f8fac1b8e1d185f732c32f20e3b7060e3835435.tar.gz samba-4f8fac1b8e1d185f732c32f20e3b7060e3835435.tar.bz2 samba-4f8fac1b8e1d185f732c32f20e3b7060e3835435.zip |
Pass all the non-inherited S4 RAW-ACL tests.
Jeremy.
-rw-r--r-- | source3/lib/util_seaccess.c | 7 | ||||
-rw-r--r-- | source3/modules/vfs_acl_xattr.c | 4 | ||||
-rw-r--r-- | source3/smbd/open.c | 18 |
3 files changed, 15 insertions, 14 deletions
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c index d7fdc9a8b9..fdc10f20ab 100644 --- a/source3/lib/util_seaccess.c +++ b/source3/lib/util_seaccess.c @@ -164,10 +164,17 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, /* handle the maximum allowed flag */ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { + uint32_t orig_access_desired = access_desired; + access_desired |= access_check_max_allowed(sd, token); access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; *access_granted = access_desired; bits_remaining = access_desired & ~SEC_STD_DELETE; + + DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n", + orig_access_desired, + *access_granted, + bits_remaining)); } #if 0 diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index e465e8f380..c3b27f81a5 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -442,6 +442,10 @@ static int open_acl_xattr(vfs_handle_struct *handle, fsp->access_mask, &access_granted); if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("open_acl_xattr: file %s open " + "refused with error %s\n", + fname, + nt_errstr(status) )); errno = map_errno_from_nt_status(status); return -1; } diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 5836c43afc..dde1d0dd4b 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1206,15 +1206,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, create_disposition, create_options, unx_mode, oplock_request)); - if ((access_mask & FILE_READ_DATA)||(access_mask & FILE_WRITE_DATA)) { - DEBUG(10, ("open_file_ntcreate: adding FILE_READ_ATTRIBUTES " - "to requested access_mask 0x%x, new mask 0x%x", - access_mask, - access_mask | FILE_READ_ATTRIBUTES )); - - access_mask |= FILE_READ_ATTRIBUTES; - } - if ((req == NULL) && ((oplock_request & INTERNAL_OPEN_ONLY) == 0)) { DEBUG(0, ("No smb request but not an internal only open!\n")); return NT_STATUS_INTERNAL_ERROR; @@ -1408,10 +1399,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, } access_mask = access_granted; - /* - * According to Samba4, SEC_FILE_READ_ATTRIBUTE is always granted, - */ - access_mask |= FILE_READ_ATTRIBUTES; } else { access_mask = FILE_GENERIC_ALL; } @@ -1856,7 +1843,10 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, /* Record the options we were opened with. */ fsp->share_access = share_access; fsp->fh->private_options = create_options; - fsp->access_mask = access_mask; + /* + * According to Samba4, SEC_FILE_READ_ATTRIBUTE is always granted, + */ + fsp->access_mask = access_mask | FILE_READ_ATTRIBUTES; if (file_existed) { /* stat opens on existing files don't get oplocks. */ |