diff options
| author | Jeremy Allison <jra@samba.org> | 2008-11-04 01:34:08 -0800 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2008-11-04 01:34:08 -0800 |
| commit | bfc59f63f3c13b1499e658c30b2185c7067c5fca (patch) | |
| tree | 0a9e1bc2870c2c41364e10c2a1f0fc1fff36df61 /source3/smbd | |
| parent | 0953688012dcacca5b28a19c7a2d8393428ca151 (diff) | |
| download | samba-bfc59f63f3c13b1499e658c30b2185c7067c5fca.tar.gz samba-bfc59f63f3c13b1499e658c30b2185c7067c5fca.tar.bz2 samba-bfc59f63f3c13b1499e658c30b2185c7067c5fca.zip | |
Pass all of RAW-ACLS except for inheritence. Working on that next.
Jeremy.
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/open.c | 81 |
1 files changed, 79 insertions, 2 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c index b134e8f0fd..480352beda 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -30,6 +30,56 @@ struct deferred_open_record { }; /**************************************************************************** + SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES. +****************************************************************************/ + +NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, + const NT_USER_TOKEN *token, + uint32_t access_desired, + uint32_t *access_granted) +{ + return se_access_check(sd, + token, + (access_desired & ~FILE_READ_ATTRIBUTES), + access_granted); +} + +/**************************************************************************** + Check if we have open rights. +****************************************************************************/ + +static NTSTATUS check_open_rights(struct connection_struct *conn, + const char *fname, + uint32_t access_mask) +{ + /* Check if we have rights to open. */ + NTSTATUS status; + uint32_t access_granted = 0; + struct security_descriptor *sd; + + status = SMB_VFS_GET_NT_ACL(conn, fname, + (OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION),&sd); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("check_open_rights: Could not get acl " + "on %s: %s\n", + fname, + nt_errstr(status))); + return status; + } + + status = smb1_file_se_access_check(sd, + conn->server_info->ptok, + access_mask, + &access_granted); + + TALLOC_FREE(sd); + return status; +} + +/**************************************************************************** fd support routines - attempt to do a dos_open. ****************************************************************************/ @@ -337,6 +387,17 @@ static NTSTATUS open_file(files_struct *fsp, } else { fsp->fh->fd = -1; /* What we used to call a stat open. */ + if (file_existed) { + status = check_open_rights(conn, + path, + access_mask); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("open_file: Access denied on " + "file %s\n", + path)); + return status; + } + } } if (!file_existed) { @@ -1146,6 +1207,7 @@ static NTSTATUS calculate_access_mask(connection_struct *conn, /* Calculate MAXIMUM_ALLOWED_ACCESS if requested. */ if (access_mask & MAXIMUM_ALLOWED_ACCESS) { if (file_existed) { + struct security_descriptor *sd; uint32_t access_granted = 0; @@ -1162,8 +1224,10 @@ static NTSTATUS calculate_access_mask(connection_struct *conn, return NT_STATUS_ACCESS_DENIED; } - status = se_access_check(sd, conn->server_info->ptok, - access_mask, &access_granted); + status = smb1_file_se_access_check(sd, + conn->server_info->ptok, + access_mask, + &access_granted); TALLOC_FREE(sd); @@ -2274,6 +2338,19 @@ NTSTATUS open_directory(connection_struct *conn, return NT_STATUS_NOT_A_DIRECTORY; } + if (info == FILE_WAS_OPENED) { + status = check_open_rights(conn, + fname, + access_mask); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("open_directory: check_open_rights on " + "file %s failed with %s\n", + fname, + nt_errstr(status))); + return status; + } + } + status = file_new(req, conn, &fsp); if(!NT_STATUS_IS_OK(status)) { return status; |