summaryrefslogtreecommitdiff
path: root/source3/smbd/open.c
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2013-09-02 17:37:50 +0200
committerMichael Adam <obnox@samba.org>2013-09-10 23:33:12 +0200
commit1e29d730663382875d96c275c60e022a1c33a2d1 (patch)
tree90c243918b7d6f51fca3023df8da331cecce1c95 /source3/smbd/open.c
parentde3bc10ef69f23e7dab9fc3f6990bb403824b14e (diff)
downloadsamba-1e29d730663382875d96c275c60e022a1c33a2d1.tar.gz
samba-1e29d730663382875d96c275c60e022a1c33a2d1.tar.bz2
samba-1e29d730663382875d96c275c60e022a1c33a2d1.zip
s3:smbd: ease file server upgrades from 3.6 and earlier with "acl allow execute aways"
3.6 and earlier allowed open for execution when execute permissions are not present on a file. This has been fixed in Samba 4.0. This patch changes smbd to skip the execute bit from the ACL check in the open code if "acl allow execute always = yes", hence re-establishing the old behaviour in this case. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
Diffstat (limited to 'source3/smbd/open.c')
-rw-r--r--source3/smbd/open.c16
1 files changed, 15 insertions, 1 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index e5ea71576b..b9618b41dc 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -76,6 +76,7 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
struct security_descriptor *sd = NULL;
uint32_t rejected_share_access;
uint32_t rejected_mask = access_mask;
+ uint32_t do_not_check_mask = 0;
rejected_share_access = access_mask & ~(conn->share_access);
@@ -143,10 +144,23 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
* se_file_access_check() also takes care of
* owner WRITE_DAC and READ_CONTROL.
*/
+ do_not_check_mask = FILE_READ_ATTRIBUTES;
+
+ /*
+ * Samba 3.6 and earlier granted execute access even
+ * if the ACL did not contain execute rights.
+ * Samba 4.0 is more correct and checks it.
+ * The compatibilty mode allows to skip this check
+ * to smoothen upgrades.
+ */
+ if (lp_acl_allow_execute_always(SNUM(conn))) {
+ do_not_check_mask |= FILE_EXECUTE;
+ }
+
status = se_file_access_check(sd,
get_current_nttok(conn),
use_privs,
- (access_mask & ~FILE_READ_ATTRIBUTES),
+ (access_mask & ~do_not_check_mask),
&rejected_mask);
DEBUG(10,("smbd_check_access_rights: file %s requesting "