summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-07-11 18:09:44 +0200
committerStefan Metzmacher <metze@samba.org>2011-07-11 21:23:08 +0200
commit18f967a24881aa899b39f7676fc70a7f7aaca07b (patch)
tree879980f7e0538f7832b2d93f52cd2b5b30943c88 /source3/smbd
parent7c10b5e03379782841d0e58910c579647b75e39c (diff)
downloadsamba-18f967a24881aa899b39f7676fc70a7f7aaca07b.tar.gz
samba-18f967a24881aa899b39f7676fc70a7f7aaca07b.tar.bz2
samba-18f967a24881aa899b39f7676fc70a7f7aaca07b.zip
s3:smbd/msdfs: let create_conn_struct() check the share security descriptor
metze
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/msdfs.c30
1 files changed, 30 insertions, 0 deletions
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index 31c5a2d07a..4629a39aa3 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -28,6 +28,7 @@
#include "msdfs.h"
#include "auth.h"
#include "lib/param/loadparm.h"
+#include "libcli/security/security.h"
/**********************************************************************
Parse a DFS pathname of the form \hostname\service\reqpath
@@ -279,6 +280,35 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
set_conn_connectpath(conn, connpath);
+ /*
+ * New code to check if there's a share security descripter
+ * added from NT server manager. This is done after the
+ * smb.conf checks are done as we need a uid and token. JRA.
+ *
+ */
+ if (conn->session_info) {
+ share_access_check(conn->session_info->security_token,
+ lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS,
+ &conn->share_access);
+
+ if ((conn->share_access & FILE_WRITE_DATA) == 0) {
+ if ((conn->share_access & FILE_READ_DATA) == 0) {
+ /* No access, read or write. */
+ DEBUG(0,("create_conn_struct: connection to %s "
+ "denied due to security "
+ "descriptor.\n",
+ lp_servicename(snum)));
+ conn_free(conn);
+ return NT_STATUS_ACCESS_DENIED;
+ } else {
+ conn->read_only = true;
+ }
+ }
+ } else {
+ conn->share_access = 0;
+ conn->read_only = true;
+ }
+
if (!smbd_vfs_init(conn)) {
NTSTATUS status = map_nt_error_from_unix(errno);
DEBUG(0,("create_conn_struct: smbd_vfs_init failed.\n"));