Add bool use_privs parameter to smbd_check_access_rights()

If this is set we should use it in preference to blindly assuming root can do anything. Currently set to 'false' in (most) callers.
author: Jeremy Allison <jra@samba.org> 2012-09-13 16:11:31 -0700
committer: Jeremy Allison <jra@samba.org> 2012-09-14 22:54:29 +0200
commit: aa0a7cf51a8b4ed2f188c2c38c4d5d47688de9ad (patch)
tree: 406b0b33ee5ba049988501e4451221943a2ac36d /source3/smbd/open.c
parent: 1e34d584393c09a43bf0226bebc0ae0f675e57ae (diff)
download: samba-aa0a7cf51a8b4ed2f188c2c38c4d5d47688de9ad.tar.gz
samba-aa0a7cf51a8b4ed2f188c2c38c4d5d47688de9ad.tar.bz2
samba-aa0a7cf51a8b4ed2f188c2c38c4d5d47688de9ad.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 0da238679e..ccad07c6e9 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -65,6 +65,7 @@ static bool parent_override_delete(connection_struct *conn,
 
 NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
 				const struct smb_filename *smb_fname,
+				bool use_privs,
 				uint32_t access_mask)
 {
 	/* Check if we have rights to open. */
@@ -84,7 +85,7 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	if (get_current_uid(conn) == (uid_t)0) {
+	if (!use_privs && get_current_uid(conn) == (uid_t)0) {
 		/* I'm sorry sir, I didn't know you were root... */
 		DEBUG(10,("smbd_check_access_rights: root override "
 			"on %s. Granting 0x%x\n",
@@ -135,7 +136,7 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
 	 */
 	status = se_file_access_check(sd,
 				get_current_nttok(conn),
-				false,
+				use_privs,
 				(access_mask & ~FILE_READ_ATTRIBUTES),
 				&rejected_mask);
 
@@ -745,6 +746,7 @@ static NTSTATUS open_file(files_struct *fsp,
 			if (file_existed) {
 				status = smbd_check_access_rights(conn,
 						smb_fname,
+						false,
 						access_mask);
 			} else if (local_flags & O_CREAT){
 				status = check_parent_access(conn,
@@ -836,6 +838,7 @@ static NTSTATUS open_file(files_struct *fsp,
 
 		status = smbd_check_access_rights(conn,
 				smb_fname,
+				false,
 				access_mask);
 
 		if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
@@ -2308,7 +2311,9 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
 			if (((can_access_mask & FILE_WRITE_DATA) &&
 				!CAN_WRITE(conn)) ||
 				!NT_STATUS_IS_OK(smbd_check_access_rights(conn,
-						smb_fname, can_access_mask))) {
+							smb_fname,
+							false,
+							can_access_mask))) {
 				can_access = False;
 			}
 
@@ -3025,7 +3030,10 @@ static NTSTATUS open_directory(connection_struct *conn,
 	}
 
 	if (info == FILE_WAS_OPENED) {
-		status = smbd_check_access_rights(conn, smb_dname, access_mask);
+		status = smbd_check_access_rights(conn,
+						smb_dname,
+						false,
+						access_mask);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(10, ("open_directory: smbd_check_access_rights on "
 				"file %s failed with %s\n",
author	Jeremy Allison <jra@samba.org>	2012-09-13 16:11:31 -0700
committer	Jeremy Allison <jra@samba.org>	2012-09-14 22:54:29 +0200
commit	aa0a7cf51a8b4ed2f188c2c38c4d5d47688de9ad (patch)
tree	406b0b33ee5ba049988501e4451221943a2ac36d /source3/smbd/open.c
parent	1e34d584393c09a43bf0226bebc0ae0f675e57ae (diff)
download	samba-aa0a7cf51a8b4ed2f188c2c38c4d5d47688de9ad.tar.gz samba-aa0a7cf51a8b4ed2f188c2c38c4d5d47688de9ad.tar.bz2 samba-aa0a7cf51a8b4ed2f188c2c38c4d5d47688de9ad.zip