diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-07-11 18:09:44 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-07-11 21:23:08 +0200 |
commit | 18f967a24881aa899b39f7676fc70a7f7aaca07b (patch) | |
tree | 879980f7e0538f7832b2d93f52cd2b5b30943c88 /source3/smbd | |
parent | 7c10b5e03379782841d0e58910c579647b75e39c (diff) | |
download | samba-18f967a24881aa899b39f7676fc70a7f7aaca07b.tar.gz samba-18f967a24881aa899b39f7676fc70a7f7aaca07b.tar.bz2 samba-18f967a24881aa899b39f7676fc70a7f7aaca07b.zip |
s3:smbd/msdfs: let create_conn_struct() check the share security descriptor
metze
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/msdfs.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c index 31c5a2d07a..4629a39aa3 100644 --- a/source3/smbd/msdfs.c +++ b/source3/smbd/msdfs.c @@ -28,6 +28,7 @@ #include "msdfs.h" #include "auth.h" #include "lib/param/loadparm.h" +#include "libcli/security/security.h" /********************************************************************** Parse a DFS pathname of the form \hostname\service\reqpath @@ -279,6 +280,35 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx, set_conn_connectpath(conn, connpath); + /* + * New code to check if there's a share security descripter + * added from NT server manager. This is done after the + * smb.conf checks are done as we need a uid and token. JRA. + * + */ + if (conn->session_info) { + share_access_check(conn->session_info->security_token, + lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS, + &conn->share_access); + + if ((conn->share_access & FILE_WRITE_DATA) == 0) { + if ((conn->share_access & FILE_READ_DATA) == 0) { + /* No access, read or write. */ + DEBUG(0,("create_conn_struct: connection to %s " + "denied due to security " + "descriptor.\n", + lp_servicename(snum))); + conn_free(conn); + return NT_STATUS_ACCESS_DENIED; + } else { + conn->read_only = true; + } + } + } else { + conn->share_access = 0; + conn->read_only = true; + } + if (!smbd_vfs_init(conn)) { NTSTATUS status = map_nt_error_from_unix(errno); DEBUG(0,("create_conn_struct: smbd_vfs_init failed.\n")); |