diff options
author | Jeremy Allison <jra@samba.org> | 2010-03-12 14:31:47 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2010-03-12 14:31:47 -0800 |
commit | a2be29dfa32a675249f743632a24450d5147a112 (patch) | |
tree | 4db445dfdecab1001fab91b96e24ab12fa810e1d | |
parent | e80ceb1d7355c8c46a2ed90d5721cf367640f4e8 (diff) | |
download | samba-a2be29dfa32a675249f743632a24450d5147a112.tar.gz samba-a2be29dfa32a675249f743632a24450d5147a112.tar.bz2 samba-a2be29dfa32a675249f743632a24450d5147a112.zip |
Missed a couple more uses of conn->server_info->ptok that need to be get_current_nttok(conn)
Centralize the root check into smb1_file_se_access_check()
so this is used by modules/vfs_acl_common.c also.
Jeremy.
-rw-r--r-- | source3/include/proto.h | 9 | ||||
-rw-r--r-- | source3/modules/vfs_acl_common.c | 16 | ||||
-rw-r--r-- | source3/smbd/open.c | 41 |
3 files changed, 36 insertions, 30 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 5b4304d27d..6e210de458 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -6594,10 +6594,11 @@ void reply_nttranss(struct smb_request *req); /* The following definitions come from smbd/open.c */ -NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, - const NT_USER_TOKEN *token, - uint32_t access_desired, - uint32_t *access_granted); +NTSTATUS smb1_file_se_access_check(connection_struct *conn, + const struct security_descriptor *sd, + const NT_USER_TOKEN *token, + uint32_t access_desired, + uint32_t *access_granted); NTSTATUS fd_close(files_struct *fsp); void change_file_owner_to_parent(connection_struct *conn, const char *inherit_from_dir, diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index 5d6cfe7f3e..9e356b933e 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -471,8 +471,12 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle, nt_errstr(status) )); return status; } - status = smb1_file_se_access_check(parent_desc, - handle->conn->server_info->ptok, + if (pp_parent_desc) { + *pp_parent_desc = parent_desc; + } + status = smb1_file_se_access_check(handle->conn, + parent_desc, + get_current_nttok(handle->conn), access_mask, &access_granted); if(!NT_STATUS_IS_OK(status)) { @@ -485,9 +489,6 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle, nt_errstr(status) )); return status; } - if (pp_parent_desc) { - *pp_parent_desc = parent_desc; - } return NT_STATUS_OK; } @@ -535,8 +536,9 @@ static int open_acl_common(vfs_handle_struct *handle, &pdesc); if (NT_STATUS_IS_OK(status)) { /* See if we can access it. */ - status = smb1_file_se_access_check(pdesc, - handle->conn->server_info->ptok, + status = smb1_file_se_access_check(handle->conn, + pdesc, + get_current_nttok(handle->conn), fsp->access_mask, &access_granted); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 3eb727f96b..0834e6d3d3 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -50,11 +50,23 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES. ****************************************************************************/ -NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, - const NT_USER_TOKEN *token, - uint32_t access_desired, - uint32_t *access_granted) +NTSTATUS smb1_file_se_access_check(struct connection_struct *conn, + const struct security_descriptor *sd, + const NT_USER_TOKEN *token, + uint32_t access_desired, + uint32_t *access_granted) { + *access_granted = 0; + + if (get_current_uid(conn) == (uid_t)0) { + /* I'm sorry sir, I didn't know you were root... */ + *access_granted = access_desired; + if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { + *access_granted |= FILE_GENERIC_ALL; + } + return NT_STATUS_OK; + } + return se_access_check(sd, token, (access_desired & ~FILE_READ_ATTRIBUTES), @@ -74,17 +86,6 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn, NTSTATUS status; struct security_descriptor *sd = NULL; - *access_granted = 0; - - if (get_current_uid(conn) == (uid_t)0) { - /* I'm sorry sir, I didn't know you were root... */ - *access_granted = access_mask; - if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { - *access_granted |= FILE_GENERIC_ALL; - } - return NT_STATUS_OK; - } - status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | @@ -98,8 +99,9 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn, return status; } - status = smb1_file_se_access_check(sd, - conn->server_info->ptok, + status = smb1_file_se_access_check(conn, + sd, + get_current_nttok(conn), access_mask, access_granted); @@ -1419,8 +1421,9 @@ static NTSTATUS calculate_access_mask(connection_struct *conn, return NT_STATUS_ACCESS_DENIED; } - status = smb1_file_se_access_check(sd, - conn->server_info->ptok, + status = smb1_file_se_access_check(conn, + sd, + get_current_nttok(conn), access_mask, &access_granted); |