summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-03-12 14:31:47 -0800
committerJeremy Allison <jra@samba.org>2010-03-12 14:31:47 -0800
commita2be29dfa32a675249f743632a24450d5147a112 (patch)
tree4db445dfdecab1001fab91b96e24ab12fa810e1d
parente80ceb1d7355c8c46a2ed90d5721cf367640f4e8 (diff)
downloadsamba-a2be29dfa32a675249f743632a24450d5147a112.tar.gz
samba-a2be29dfa32a675249f743632a24450d5147a112.tar.bz2
samba-a2be29dfa32a675249f743632a24450d5147a112.zip
Missed a couple more uses of conn->server_info->ptok that need to be get_current_nttok(conn)
Centralize the root check into smb1_file_se_access_check() so this is used by modules/vfs_acl_common.c also. Jeremy.
-rw-r--r--source3/include/proto.h9
-rw-r--r--source3/modules/vfs_acl_common.c16
-rw-r--r--source3/smbd/open.c41
3 files changed, 36 insertions, 30 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5b4304d27d..6e210de458 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -6594,10 +6594,11 @@ void reply_nttranss(struct smb_request *req);
/* The following definitions come from smbd/open.c */
-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
- const NT_USER_TOKEN *token,
- uint32_t access_desired,
- uint32_t *access_granted);
+NTSTATUS smb1_file_se_access_check(connection_struct *conn,
+ const struct security_descriptor *sd,
+ const NT_USER_TOKEN *token,
+ uint32_t access_desired,
+ uint32_t *access_granted);
NTSTATUS fd_close(files_struct *fsp);
void change_file_owner_to_parent(connection_struct *conn,
const char *inherit_from_dir,
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 5d6cfe7f3e..9e356b933e 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -471,8 +471,12 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
nt_errstr(status) ));
return status;
}
- status = smb1_file_se_access_check(parent_desc,
- handle->conn->server_info->ptok,
+ if (pp_parent_desc) {
+ *pp_parent_desc = parent_desc;
+ }
+ status = smb1_file_se_access_check(handle->conn,
+ parent_desc,
+ get_current_nttok(handle->conn),
access_mask,
&access_granted);
if(!NT_STATUS_IS_OK(status)) {
@@ -485,9 +489,6 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
nt_errstr(status) ));
return status;
}
- if (pp_parent_desc) {
- *pp_parent_desc = parent_desc;
- }
return NT_STATUS_OK;
}
@@ -535,8 +536,9 @@ static int open_acl_common(vfs_handle_struct *handle,
&pdesc);
if (NT_STATUS_IS_OK(status)) {
/* See if we can access it. */
- status = smb1_file_se_access_check(pdesc,
- handle->conn->server_info->ptok,
+ status = smb1_file_se_access_check(handle->conn,
+ pdesc,
+ get_current_nttok(handle->conn),
fsp->access_mask,
&access_granted);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 3eb727f96b..0834e6d3d3 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -50,11 +50,23 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES.
****************************************************************************/
-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
- const NT_USER_TOKEN *token,
- uint32_t access_desired,
- uint32_t *access_granted)
+NTSTATUS smb1_file_se_access_check(struct connection_struct *conn,
+ const struct security_descriptor *sd,
+ const NT_USER_TOKEN *token,
+ uint32_t access_desired,
+ uint32_t *access_granted)
{
+ *access_granted = 0;
+
+ if (get_current_uid(conn) == (uid_t)0) {
+ /* I'm sorry sir, I didn't know you were root... */
+ *access_granted = access_desired;
+ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+ *access_granted |= FILE_GENERIC_ALL;
+ }
+ return NT_STATUS_OK;
+ }
+
return se_access_check(sd,
token,
(access_desired & ~FILE_READ_ATTRIBUTES),
@@ -74,17 +86,6 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
NTSTATUS status;
struct security_descriptor *sd = NULL;
- *access_granted = 0;
-
- if (get_current_uid(conn) == (uid_t)0) {
- /* I'm sorry sir, I didn't know you were root... */
- *access_granted = access_mask;
- if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
- *access_granted |= FILE_GENERIC_ALL;
- }
- return NT_STATUS_OK;
- }
-
status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
(OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
@@ -98,8 +99,9 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
return status;
}
- status = smb1_file_se_access_check(sd,
- conn->server_info->ptok,
+ status = smb1_file_se_access_check(conn,
+ sd,
+ get_current_nttok(conn),
access_mask,
access_granted);
@@ -1419,8 +1421,9 @@ static NTSTATUS calculate_access_mask(connection_struct *conn,
return NT_STATUS_ACCESS_DENIED;
}
- status = smb1_file_se_access_check(sd,
- conn->server_info->ptok,
+ status = smb1_file_se_access_check(conn,
+ sd,
+ get_current_nttok(conn),
access_mask,
&access_granted);