summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2006-07-17 19:50:59 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:38:11 -0500
commit283b74fce595642fb2e2a2fad87c2de9c3bc5403 (patch)
treeb2b6e7a77c5ac7646ce7374a9dffa9d9b1d892ba
parent03f477b8a682a923472645e517711b80ac99d3a9 (diff)
downloadsamba-283b74fce595642fb2e2a2fad87c2de9c3bc5403.tar.gz
samba-283b74fce595642fb2e2a2fad87c2de9c3bc5403.tar.bz2
samba-283b74fce595642fb2e2a2fad87c2de9c3bc5403.zip
r17096: Simplify share_access_check a bit: It takes the sharename instead of the snum,
and the decision which token to use (conn or vuser) does not really belong here, it is better done in the two places where this is called. Volker (This used to be commit 0a138888adf7a0f04a38cd911e797e1a379e908b)
-rw-r--r--source3/rpc_server/srv_srvsvc_nt.c24
-rw-r--r--source3/smbd/service.c9
-rw-r--r--source3/smbd/uid.c9
3 files changed, 23 insertions, 19 deletions
diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c
index 50df99901b..19099b931e 100644
--- a/source3/rpc_server/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srv_srvsvc_nt.c
@@ -320,36 +320,30 @@ static void map_generic_share_sd_bits(SEC_DESC *psd)
Can this user access with share with the required permissions ?
********************************************************************/
-BOOL share_access_check(connection_struct *conn, int snum, user_struct *vuser, uint32 desired_access)
+BOOL share_access_check(const NT_USER_TOKEN *token, const char *sharename,
+ uint32 desired_access)
{
uint32 granted;
NTSTATUS status;
TALLOC_CTX *mem_ctx = NULL;
SEC_DESC *psd = NULL;
size_t sd_size;
- NT_USER_TOKEN *token = NULL;
BOOL ret = True;
- mem_ctx = talloc_init("share_access_check");
- if (mem_ctx == NULL)
+ if (!(mem_ctx = talloc_init("share_access_check"))) {
return False;
+ }
- psd = get_share_security(mem_ctx, lp_servicename(snum), &sd_size);
-
- if (!psd)
- goto out;
+ psd = get_share_security(mem_ctx, sharename, &sd_size);
- if (conn->nt_user_token)
- token = conn->nt_user_token;
- else
- token = vuser->nt_user_token;
+ if (!psd) {
+ TALLOC_FREE(mem_ctx);
+ return True;
+ }
ret = se_access_check(psd, token, desired_access, &granted, &status);
-out:
-
talloc_destroy(mem_ctx);
-
return ret;
}
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 9dcb8a354f..395114592a 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -767,11 +767,16 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
*/
{
- BOOL can_write = share_access_check(conn, snum, vuser,
+ NT_USER_TOKEN *token = conn->nt_user_token ?
+ conn->nt_user_token : vuser->nt_user_token;
+
+ BOOL can_write = share_access_check(token,
+ lp_servicename(snum),
FILE_WRITE_DATA);
if (!can_write) {
- if (!share_access_check(conn, snum, vuser,
+ if (!share_access_check(token,
+ lp_servicename(snum),
FILE_READ_DATA)) {
/* No access, read or write. */
DEBUG(0,("make_connection: connection to %s "
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 48d7f590c3..89d082e1ac 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -87,6 +87,7 @@ static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
unsigned int i;
struct vuid_cache_entry *ent = NULL;
BOOL readonly_share;
+ NT_USER_TOKEN *token;
for (i=0;i<conn->vuid_cache.entries && i< VUID_CACHE_SIZE;i++) {
if (conn->vuid_cache.array[i].vuid == vuser->vuid) {
@@ -104,8 +105,12 @@ static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
vuser->nt_user_token,
SNUM(conn));
+ token = conn->nt_user_token ?
+ conn->nt_user_token : vuser->nt_user_token;
+
if (!readonly_share &&
- !share_access_check(conn, snum, vuser, FILE_WRITE_DATA)) {
+ !share_access_check(token, lp_servicename(snum),
+ FILE_WRITE_DATA)) {
/* smb.conf allows r/w, but the security descriptor denies
* write. Fall back to looking at readonly. */
readonly_share = True;
@@ -113,7 +118,7 @@ static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
"security descriptor\n"));
}
- if (!share_access_check(conn, snum, vuser,
+ if (!share_access_check(token, lp_servicename(snum),
readonly_share ?
FILE_READ_DATA : FILE_WRITE_DATA)) {
return False;