summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-10-11 17:10:28 -0700
committerJeremy Allison <jra@samba.org>2010-10-11 17:10:28 -0700
commit6f4e782c5343fc46f9029a549c419e5f3c1e6190 (patch)
treee5797b4a2dba2574278cdf7a6169693ea6393d4d
parent71d9f51b4eaedbecaf4b9e7a7fffae33dba6ba2e (diff)
downloadsamba-6f4e782c5343fc46f9029a549c419e5f3c1e6190.tar.gz
samba-6f4e782c5343fc46f9029a549c419e5f3c1e6190.tar.bz2
samba-6f4e782c5343fc46f9029a549c419e5f3c1e6190.zip
Canonicalize incoming and outgoing ACLs.
Jeremy.
-rw-r--r--source3/smbd/nttrans.c59
1 files changed, 55 insertions, 4 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 40a47fde5c..017703ee97 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -836,11 +836,15 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
struct security_descriptor *psd = NULL;
NTSTATUS status;
+ if (sd_len == 0) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
if (!CAN_WRITE(fsp->conn)) {
return NT_STATUS_ACCESS_DENIED;
}
- if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) {
+ if (!lp_nt_acl_support(SNUM(fsp->conn))) {
return NT_STATUS_OK;
}
@@ -857,9 +861,43 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
security_info_sent &= ~SECINFO_GROUP;
}
- /* Convert all the generic bits. */
- security_acl_map_generic(psd->dacl, &file_generic_mapping);
- security_acl_map_generic(psd->sacl, &file_generic_mapping);
+ /* Ensure we have at least one thing set. */
+ if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* Ensure we have the rights to do this. */
+ if (security_info_sent & SECINFO_OWNER) {
+ if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+ if (security_info_sent & SECINFO_GROUP) {
+ if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+ if (security_info_sent & SECINFO_DACL) {
+ if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ /* Convert all the generic bits. */
+ if (psd->dacl) {
+ security_acl_map_generic(psd->dacl, &file_generic_mapping);
+ }
+ }
+
+ if (security_info_sent & SECINFO_SACL) {
+ if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ /* Convert all the generic bits. */
+ if (psd->sacl) {
+ security_acl_map_generic(psd->sacl, &file_generic_mapping);
+ }
+ }
if (DEBUGLEVEL >= 10) {
DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp)));
@@ -1808,6 +1846,19 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
return status;
}
+ if (!(security_info_wanted & SECINFO_OWNER)) {
+ psd->owner_sid = NULL;
+ }
+ if (!(security_info_wanted & SECINFO_GROUP)) {
+ psd->group_sid = NULL;
+ }
+ if (!(security_info_wanted & SECINFO_DACL)) {
+ psd->dacl = NULL;
+ }
+ if (!(security_info_wanted & SECINFO_SACL)) {
+ psd->sacl = NULL;
+ }
+
/* If the SACL/DACL is NULL, but was requested, we mark that it is
* present in the reply to match Windows behavior */
if (psd->sacl == NULL &&