diff options
| author | Jeremy Allison <jra@samba.org> | 2012-11-14 14:40:50 -0800 |
|---|---|---|
| committer | Michael Adam <obnox@samba.org> | 2012-11-19 13:16:09 +0100 |
| commit | 4985332b951d8cd46c9c0cd877875ab7839b4edb (patch) | |
| tree | 47018f8691a3f4228a1825cdea2666347bb1adfa /source3/smbd | |
| parent | e6a100e86b7adf1c06a7c06b24fa50717ddcdb67 (diff) | |
| download | samba-4985332b951d8cd46c9c0cd877875ab7839b4edb.tar.gz samba-4985332b951d8cd46c9c0cd877875ab7839b4edb.tar.bz2 samba-4985332b951d8cd46c9c0cd877875ab7839b4edb.zip | |
Add comments explaining exactly *why* we don't check FILE_READ_ATTRIBUTES when evaluating file/directory ACE's.
If we can access the path to this file, by
default we have FILE_READ_ATTRIBUTES from the
containing directory. See the section.
"Algorithm to Check Access to an Existing File"
in MS-FSA.pdf.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/open.c | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 7eb9f321f8..201f6981cb 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -131,7 +131,13 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn, } /* - * Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of + * If we can access the path to this file, by + * default we have FILE_READ_ATTRIBUTES from the + * containing directory. See the section: + * "Algorithm to Check Access to an Existing File" + * in MS-FSA.pdf. + * + * se_file_access_check() also takes care of * owner WRITE_DAC and READ_CONTROL. */ status = se_file_access_check(sd, @@ -249,7 +255,13 @@ static NTSTATUS check_parent_access(struct connection_struct *conn, } /* - * Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of + * If we can access the path to this file, by + * default we have FILE_READ_ATTRIBUTES from the + * containing directory. See the section: + * "Algorithm to Check Access to an Existing File" + * in MS-FSA.pdf. + * + * se_file_access_check() also takes care of * owner WRITE_DAC and READ_CONTROL. */ status = se_file_access_check(parent_sd, @@ -1704,7 +1716,13 @@ static NTSTATUS smbd_calculate_maximum_allowed_access( } /* - * Never test FILE_READ_ATTRIBUTES. se_file_access_check() + * If we can access the path to this file, by + * default we have FILE_READ_ATTRIBUTES from the + * containing directory. See the section: + * "Algorithm to Check Access to an Existing File" + * in MS-FSA.pdf. + * + * se_file_access_check() * also takes care of owner WRITE_DAC and READ_CONTROL. */ status = se_file_access_check(sd, |