Add 'bool use_privs' to smbd_calculate_access_mask().

Replaces blanket root allow if set. Set to 'false' for
all current callers.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Sep 15 00:37:49 CEST 2012 on sn-devel-104

4 files changed, 10 insertions, 5 deletions

diff --git a/source3/smbd/fake_file.c b/source3/smbd/fake_file.c
index d052d4965d..3f9e2aec05 100644
--- a/source3/smbd/fake_file.c
+++ b/source3/smbd/fake_file.c
@@ -129,7 +129,7 @@ NTSTATUS open_fake_file(struct smb_request *req, connection_struct *conn,
 	files_struct *fsp = NULL;
 	NTSTATUS status;
 
-	status = smbd_calculate_access_mask(conn, smb_fname,
+	status = smbd_calculate_access_mask(conn, smb_fname, false,
 					    access_mask, &access_mask);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("open_fake_file: smbd_calculate_access_mask "
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 566f04d71f..74e42c77af 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -202,6 +202,7 @@ bool smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx,
 
 NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
 				    const struct smb_filename *smb_fname,
+				    bool use_privs,
 				    uint32_t access_mask,
 				    uint32_t *access_mask_out);
 
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index b0303f8196..b67c045e34 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1662,13 +1662,14 @@ static void schedule_async_open(struct timeval request_time,
 static NTSTATUS smbd_calculate_maximum_allowed_access(
 	connection_struct *conn,
 	const struct smb_filename *smb_fname,
+	bool use_privs,
 	uint32_t *p_access_mask)
 {
 	struct security_descriptor *sd;
 	uint32_t access_granted;
 	NTSTATUS status;
 
-	if (get_current_uid(conn) == (uid_t)0) {
+	if (!use_privs && (get_current_uid(conn) == (uid_t)0)) {
 		*p_access_mask |= FILE_GENERIC_ALL;
 		return NT_STATUS_OK;
 	}
@@ -1698,7 +1699,7 @@ static NTSTATUS smbd_calculate_maximum_allowed_access(
 	 */
 	status = se_file_access_check(sd,
 				 get_current_nttok(conn),
-				 false,
+				 use_privs,
 				 (*p_access_mask & ~FILE_READ_ATTRIBUTES),
 				 &access_granted);
 
@@ -1716,6 +1717,7 @@ static NTSTATUS smbd_calculate_maximum_allowed_access(
 
 NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
 				    const struct smb_filename *smb_fname,
+				    bool use_privs,
 				    uint32_t access_mask,
 				    uint32_t *access_mask_out)
 {
@@ -1733,7 +1735,7 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
 	if (access_mask & MAXIMUM_ALLOWED_ACCESS) {
 
 		status = smbd_calculate_maximum_allowed_access(
-			conn, smb_fname, &access_mask);
+			conn, smb_fname, use_privs, &access_mask);
 
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
@@ -2085,6 +2087,7 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
 	}
 
 	status = smbd_calculate_access_mask(conn, smb_fname,
+					false,
 					access_mask,
 					&access_mask); 
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2922,7 +2925,7 @@ static NTSTATUS open_directory(connection_struct *conn,
 		 (unsigned int)create_disposition,
 		 (unsigned int)file_attributes));
 
-	status = smbd_calculate_access_mask(conn, smb_dname,
+	status = smbd_calculate_access_mask(conn, smb_dname, false,
 					    access_mask, &access_mask);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("open_directory: smbd_calculate_access_mask "
diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 331ca49b1b..0d9a146b23 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -932,6 +932,7 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx,
 
 				status = smbd_calculate_access_mask(smb1req->conn,
 							result->fsp_name,
+							false,
 							SEC_FLAG_MAXIMUM_ALLOWED,
 							&max_access_granted);