diff options
author | Volker Lendecke <vl@samba.org> | 2011-12-16 18:51:19 +0100 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2012-01-03 13:38:02 +0100 |
commit | c01f02a4b97de453a0db7feb3c2d323f05fac7f6 (patch) | |
tree | 1894ac3b207713d2d60b58bf3c64c5450fe29167 | |
parent | 49a520217ceb04cbd4278a3bce7cb1f8dd04b018 (diff) | |
download | samba-c01f02a4b97de453a0db7feb3c2d323f05fac7f6.tar.gz samba-c01f02a4b97de453a0db7feb3c2d323f05fac7f6.tar.bz2 samba-c01f02a4b97de453a0db7feb3c2d323f05fac7f6.zip |
s3: Avoid "file_existed" in smbd_calculate_maximum_allowed_access
We access the file by name anyway, so we can just try to access it. The file
system will for sure tell us if the file does not exist.
-rw-r--r-- | source3/smbd/open.c | 71 |
1 files changed, 35 insertions, 36 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c index db4831d3d2..d9491b5f04 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1479,9 +1479,10 @@ static void schedule_defer_open(struct share_mode_lock *lck, static NTSTATUS smbd_calculate_maximum_allowed_access( connection_struct *conn, const struct smb_filename *smb_fname, - bool file_existed, uint32_t *p_access_mask) { + struct security_descriptor *sd; + uint32_t access_granted; NTSTATUS status; if (get_current_uid(conn) == (uid_t)0) { @@ -1489,47 +1490,45 @@ static NTSTATUS smbd_calculate_maximum_allowed_access( return NT_STATUS_OK; } - if (file_existed) { - struct security_descriptor *sd; - uint32_t access_granted = 0; - - status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, - (SECINFO_OWNER | - SECINFO_GROUP | - SECINFO_DACL),&sd); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("smbd_calculate_access_mask: " - "Could not get acl on file %s: %s\n", - smb_fname_str_dbg(smb_fname), - nt_errstr(status))); - return NT_STATUS_ACCESS_DENIED; - } + status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, + (SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL),&sd); + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { /* - * Never test FILE_READ_ATTRIBUTES. se_access_check() - * also takes care of owner WRITE_DAC and READ_CONTROL. + * File did not exist */ - status = se_access_check(sd, - get_current_nttok(conn), - (*p_access_mask & ~FILE_READ_ATTRIBUTES), - &access_granted); + *p_access_mask = FILE_GENERIC_ALL; + return NT_STATUS_OK; + } + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("smbd_calculate_access_mask: " + "Could not get acl on file %s: %s\n", + smb_fname_str_dbg(smb_fname), + nt_errstr(status))); + return NT_STATUS_ACCESS_DENIED; + } - TALLOC_FREE(sd); + /* + * Never test FILE_READ_ATTRIBUTES. se_access_check() + * also takes care of owner WRITE_DAC and READ_CONTROL. + */ + status = se_access_check(sd, + get_current_nttok(conn), + (*p_access_mask & ~FILE_READ_ATTRIBUTES), + &access_granted); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("smbd_calculate_access_mask: " - "Access denied on file %s: " - "when calculating maximum access\n", - smb_fname_str_dbg(smb_fname))); - return NT_STATUS_ACCESS_DENIED; - } + TALLOC_FREE(sd); - *p_access_mask = (access_granted | FILE_READ_ATTRIBUTES); - return NT_STATUS_OK; + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("smbd_calculate_access_mask: " + "Access denied on file %s: " + "when calculating maximum access\n", + smb_fname_str_dbg(smb_fname))); + return NT_STATUS_ACCESS_DENIED; } - - *p_access_mask = FILE_GENERIC_ALL; + *p_access_mask = (access_granted | FILE_READ_ATTRIBUTES); return NT_STATUS_OK; } @@ -1553,7 +1552,7 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn, if (access_mask & MAXIMUM_ALLOWED_ACCESS) { status = smbd_calculate_maximum_allowed_access( - conn, smb_fname, file_existed, &access_mask); + conn, smb_fname, &access_mask); if (!NT_STATUS_IS_OK(status)) { return status; |