diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-07-10 13:03:51 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-07-11 21:33:20 +0200 |
commit | 896f105ed40dc04f83bcbfac367b309c8d957f86 (patch) | |
tree | 7dd15d6d22b3b106dd67f1a1f9331eb729535ea1 | |
parent | ce66d4e4a885add09edfa8e6d5eab0f3b5d63081 (diff) | |
download | samba-896f105ed40dc04f83bcbfac367b309c8d957f86.tar.gz samba-896f105ed40dc04f83bcbfac367b309c8d957f86.tar.bz2 samba-896f105ed40dc04f83bcbfac367b309c8d957f86.zip |
s3:smbd: check the share level access mask in smbd_calculate_access_mask()
I think we should reject invalid access early,
before we might create new files.
Also smbd_check_open_rights() is only called if the file existed.
metze
-rw-r--r-- | source3/smbd/open.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 96faf0f4b7..5bbcf1e616 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1530,6 +1530,8 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn, uint32_t *access_mask_out) { NTSTATUS status; + uint32_t orig_access_mask = access_mask; + uint32_t rejected_share_access; /* * Convert GENERIC bits to specific bits. @@ -1577,6 +1579,21 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn, } else { access_mask = FILE_GENERIC_ALL; } + + access_mask &= conn->share_access; + } + + rejected_share_access = access_mask & ~(conn->share_access); + + if (rejected_share_access) { + DEBUG(10, ("smbd_calculate_access_mask: Access denied on " + "file %s: rejected by share access mask[0x%08X] " + "orig[0x%08X] mapped[0x%08X] reject[0x%08X]\n", + smb_fname_str_dbg(smb_fname), + conn->share_access, + orig_access_mask, access_mask, + rejected_share_access)); + return NT_STATUS_ACCESS_DENIED; } *access_mask_out = access_mask; |