summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2008-11-03 22:42:53 -0800
committerJeremy Allison <jra@samba.org>2008-11-03 22:42:53 -0800
commit4f8fac1b8e1d185f732c32f20e3b7060e3835435 (patch)
tree3c44cae7836d9cf7819f25ab62118055d2e8ad80
parent31158c02568c28507a8a405328c457d144ac6829 (diff)
downloadsamba-4f8fac1b8e1d185f732c32f20e3b7060e3835435.tar.gz
samba-4f8fac1b8e1d185f732c32f20e3b7060e3835435.tar.bz2
samba-4f8fac1b8e1d185f732c32f20e3b7060e3835435.zip
Pass all the non-inherited S4 RAW-ACL tests.
Jeremy.
-rw-r--r--source3/lib/util_seaccess.c7
-rw-r--r--source3/modules/vfs_acl_xattr.c4
-rw-r--r--source3/smbd/open.c18
3 files changed, 15 insertions, 14 deletions
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index d7fdc9a8b9..fdc10f20ab 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -164,10 +164,17 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
/* handle the maximum allowed flag */
if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+ uint32_t orig_access_desired = access_desired;
+
access_desired |= access_check_max_allowed(sd, token);
access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
*access_granted = access_desired;
bits_remaining = access_desired & ~SEC_STD_DELETE;
+
+ DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
+ orig_access_desired,
+ *access_granted,
+ bits_remaining));
}
#if 0
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index e465e8f380..c3b27f81a5 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -442,6 +442,10 @@ static int open_acl_xattr(vfs_handle_struct *handle,
fsp->access_mask,
&access_granted);
if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("open_acl_xattr: file %s open "
+ "refused with error %s\n",
+ fname,
+ nt_errstr(status) ));
errno = map_errno_from_nt_status(status);
return -1;
}
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 5836c43afc..dde1d0dd4b 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1206,15 +1206,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn,
create_disposition, create_options, unx_mode,
oplock_request));
- if ((access_mask & FILE_READ_DATA)||(access_mask & FILE_WRITE_DATA)) {
- DEBUG(10, ("open_file_ntcreate: adding FILE_READ_ATTRIBUTES "
- "to requested access_mask 0x%x, new mask 0x%x",
- access_mask,
- access_mask | FILE_READ_ATTRIBUTES ));
-
- access_mask |= FILE_READ_ATTRIBUTES;
- }
-
if ((req == NULL) && ((oplock_request & INTERNAL_OPEN_ONLY) == 0)) {
DEBUG(0, ("No smb request but not an internal only open!\n"));
return NT_STATUS_INTERNAL_ERROR;
@@ -1408,10 +1399,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn,
}
access_mask = access_granted;
- /*
- * According to Samba4, SEC_FILE_READ_ATTRIBUTE is always granted,
- */
- access_mask |= FILE_READ_ATTRIBUTES;
} else {
access_mask = FILE_GENERIC_ALL;
}
@@ -1856,7 +1843,10 @@ NTSTATUS open_file_ntcreate(connection_struct *conn,
/* Record the options we were opened with. */
fsp->share_access = share_access;
fsp->fh->private_options = create_options;
- fsp->access_mask = access_mask;
+ /*
+ * According to Samba4, SEC_FILE_READ_ATTRIBUTE is always granted,
+ */
+ fsp->access_mask = access_mask | FILE_READ_ATTRIBUTES;
if (file_existed) {
/* stat opens on existing files don't get oplocks. */