summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2009-10-18 10:32:06 +1100
committerAndrew Tridgell <tridge@samba.org>2009-10-18 10:32:06 +1100
commita2aa13da3272b62b8d47d624a0d7fc65825adf6e (patch)
tree00c41be53adf5cd6a0b262ce82a890963875d7d8
parentbae8c93d9b5b2ae9a028573559b2fd0d306c0530 (diff)
downloadsamba-a2aa13da3272b62b8d47d624a0d7fc65825adf6e.tar.gz
samba-a2aa13da3272b62b8d47d624a0d7fc65825adf6e.tar.bz2
samba-a2aa13da3272b62b8d47d624a0d7fc65825adf6e.zip
s4-pvfs: more fixes for ACLs on file creation
The passed in SD is not used to limit the access mask allowed on file create.
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c23
1 files changed, 12 insertions, 11 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 842aced6f2..5931a38f2e 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -659,14 +659,10 @@ NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs,
}
status = pvfs_resolve_parent(pvfs, req, name, &parent);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ NT_STATUS_NOT_OK_RETURN(status);
status = pvfs_access_check_simple(pvfs, req, parent, SEC_DIR_ADD_FILE);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ NT_STATUS_NOT_OK_RETURN(status);
if (*sd == NULL) {
status = pvfs_acl_inherited_sd(pvfs, req, req, parent, container, sd);
@@ -679,14 +675,19 @@ NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs,
/* expand the generic access bits to file specific bits */
*access_mask = pvfs_translate_mask(*access_mask);
- if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
- *access_mask &= ~SEC_FILE_READ_ATTRIBUTE;
+
+ if (*access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
+ *access_mask |= SEC_RIGHTS_FILE_ALL;
+ *access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED;
}
- if (*sd == NULL) {
- return pvfs_access_check_unix(pvfs, req, NULL, access_mask);
+ if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
+ /* on SMB, this bit is always granted, even if not
+ asked for */
+ *access_mask |= SEC_FILE_READ_ATTRIBUTE;
}
- return sec_access_check(*sd, token, *access_mask, access_mask);
+
+ return NT_STATUS_OK;
}
/*