summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-09-08 20:54:38 -0700
committerJeremy Allison <jra@samba.org>2010-09-08 20:54:38 -0700
commitbec9baf88a54d0e0d3fe1065c27df0f76c960e65 (patch)
tree72282edbec39183a10489840e652a4373f55222d /source3/smbd
parentfcac46a61245e6b05f88ed80ec4b554ffd55dc63 (diff)
downloadsamba-bec9baf88a54d0e0d3fe1065c27df0f76c960e65.tar.gz
samba-bec9baf88a54d0e0d3fe1065c27df0f76c960e65.tar.bz2
samba-bec9baf88a54d0e0d3fe1065c27df0f76c960e65.zip
Don't rely on the underlying ACL modules to enforce share level
security when setting ACLs, check at the call level as well. Jeremy.
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/nttrans.c5
-rw-r--r--source3/smbd/smb2_setinfo.c5
2 files changed, 10 insertions, 0 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 78774dc1b0..1e4e06cf26 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1967,6 +1967,11 @@ static void call_nt_transact_set_security_desc(connection_struct *conn,
return;
}
+ if (!CAN_WRITE(fsp->conn)) {
+ reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+
if(!lp_nt_acl_support(SNUM(conn))) {
goto done;
}
diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 3e1bdd2771..4b837c13b3 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -311,6 +311,11 @@ static struct tevent_req *smbd_smb2_setinfo_send(TALLOC_CTX *mem_ctx,
case 0x03:/* SMB2_SETINFO_SECURITY */
{
+ if (!CAN_WRITE(conn)) {
+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return tevent_req_post(req, ev);
+ }
+
status = set_sd(fsp,
in_input_buffer.data,
in_input_buffer.length,