summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2012-09-13 17:12:24 -0700
committerJeremy Allison <jra@samba.org>2012-09-15 00:37:49 +0200
commit8de46eac65deb33cd91fa242fb89fb59dc3cac42 (patch)
tree4426ac08dd29f35d1a2cf8c7dd6737cce64163d8
parent6d82976597d6418005a889781cc23adf6b3090c3 (diff)
downloadsamba-8de46eac65deb33cd91fa242fb89fb59dc3cac42.tar.gz
samba-8de46eac65deb33cd91fa242fb89fb59dc3cac42.tar.bz2
samba-8de46eac65deb33cd91fa242fb89fb59dc3cac42.zip
Add 'bool use_privs' to smbd_calculate_access_mask().
Replaces blanket root allow if set. Set to 'false' for all current callers. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Sep 15 00:37:49 CEST 2012 on sn-devel-104
-rw-r--r--source3/smbd/fake_file.c2
-rw-r--r--source3/smbd/globals.h1
-rw-r--r--source3/smbd/open.c11
-rw-r--r--source3/smbd/smb2_create.c1
4 files changed, 10 insertions, 5 deletions
diff --git a/source3/smbd/fake_file.c b/source3/smbd/fake_file.c
index d052d4965d..3f9e2aec05 100644
--- a/source3/smbd/fake_file.c
+++ b/source3/smbd/fake_file.c
@@ -129,7 +129,7 @@ NTSTATUS open_fake_file(struct smb_request *req, connection_struct *conn,
files_struct *fsp = NULL;
NTSTATUS status;
- status = smbd_calculate_access_mask(conn, smb_fname,
+ status = smbd_calculate_access_mask(conn, smb_fname, false,
access_mask, &access_mask);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("open_fake_file: smbd_calculate_access_mask "
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 566f04d71f..74e42c77af 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -202,6 +202,7 @@ bool smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx,
NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
const struct smb_filename *smb_fname,
+ bool use_privs,
uint32_t access_mask,
uint32_t *access_mask_out);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index b0303f8196..b67c045e34 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1662,13 +1662,14 @@ static void schedule_async_open(struct timeval request_time,
static NTSTATUS smbd_calculate_maximum_allowed_access(
connection_struct *conn,
const struct smb_filename *smb_fname,
+ bool use_privs,
uint32_t *p_access_mask)
{
struct security_descriptor *sd;
uint32_t access_granted;
NTSTATUS status;
- if (get_current_uid(conn) == (uid_t)0) {
+ if (!use_privs && (get_current_uid(conn) == (uid_t)0)) {
*p_access_mask |= FILE_GENERIC_ALL;
return NT_STATUS_OK;
}
@@ -1698,7 +1699,7 @@ static NTSTATUS smbd_calculate_maximum_allowed_access(
*/
status = se_file_access_check(sd,
get_current_nttok(conn),
- false,
+ use_privs,
(*p_access_mask & ~FILE_READ_ATTRIBUTES),
&access_granted);
@@ -1716,6 +1717,7 @@ static NTSTATUS smbd_calculate_maximum_allowed_access(
NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
const struct smb_filename *smb_fname,
+ bool use_privs,
uint32_t access_mask,
uint32_t *access_mask_out)
{
@@ -1733,7 +1735,7 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
if (access_mask & MAXIMUM_ALLOWED_ACCESS) {
status = smbd_calculate_maximum_allowed_access(
- conn, smb_fname, &access_mask);
+ conn, smb_fname, use_privs, &access_mask);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -2085,6 +2087,7 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
}
status = smbd_calculate_access_mask(conn, smb_fname,
+ false,
access_mask,
&access_mask);
if (!NT_STATUS_IS_OK(status)) {
@@ -2922,7 +2925,7 @@ static NTSTATUS open_directory(connection_struct *conn,
(unsigned int)create_disposition,
(unsigned int)file_attributes));
- status = smbd_calculate_access_mask(conn, smb_dname,
+ status = smbd_calculate_access_mask(conn, smb_dname, false,
access_mask, &access_mask);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("open_directory: smbd_calculate_access_mask "
diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 331ca49b1b..0d9a146b23 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -932,6 +932,7 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx,
status = smbd_calculate_access_mask(smb1req->conn,
result->fsp_name,
+ false,
SEC_FLAG_MAXIMUM_ALLOWED,
&max_access_granted);