summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2012-02-28 09:47:50 -0800
committerJeremy Allison <jra@samba.org>2012-02-28 20:21:26 +0100
commit6081fabe7e0f461ea7d288c40727d4fb5defce5d (patch)
treea91615884972a0bb82d1c9fa432a2df19f1a35dd
parentd12bad72ba4c6492b137fb6fa04b595e64e6d993 (diff)
downloadsamba-6081fabe7e0f461ea7d288c40727d4fb5defce5d.tar.gz
samba-6081fabe7e0f461ea7d288c40727d4fb5defce5d.tar.bz2
samba-6081fabe7e0f461ea7d288c40727d4fb5defce5d.zip
Fix problem reported by Tom Lee <tlee2951@gmail.com> - when calculating
the share security mask, take priviliges into account for the connecting user. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Tue Feb 28 20:21:26 CET 2012 on sn-devel-104
-rw-r--r--source3/smbd/service.c31
1 files changed, 28 insertions, 3 deletions
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index b08811bab2..8436fbee91 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -523,6 +523,33 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
}
/****************************************************************************
+ Setup the share access mask for a connection.
+****************************************************************************/
+
+static void create_share_access_mask(connection_struct *conn, int snum)
+{
+ const struct security_token *token = conn->session_info->security_token;
+
+ share_access_check(token,
+ lp_servicename(snum),
+ MAXIMUM_ALLOWED_ACCESS,
+ &conn->share_access);
+
+ if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
+ conn->share_access |= SEC_FLAG_SYSTEM_SECURITY;
+ }
+ if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+ conn->share_access |= (SEC_RIGHTS_PRIV_RESTORE);
+ }
+ if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+ conn->share_access |= (SEC_RIGHTS_PRIV_BACKUP);
+ }
+ if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+ conn->share_access |= (SEC_STD_WRITE_OWNER);
+ }
+}
+
+/****************************************************************************
Make a connection, given the snum to connect to, and the vuser of the
connecting user if appropriate.
****************************************************************************/
@@ -636,9 +663,7 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
*
*/
- share_access_check(conn->session_info->security_token,
- lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS,
- &conn->share_access);
+ create_share_access_mask(conn, snum);
if ((conn->share_access & FILE_WRITE_DATA) == 0) {
if ((conn->share_access & FILE_READ_DATA) == 0) {