diff options
| author | Volker Lendecke <vl@samba.org> | 2011-12-16 18:51:19 +0100 |
|---|---|---|
| committer | Volker Lendecke <vl@samba.org> | 2012-01-03 13:38:02 +0100 |
| commit | c01f02a4b97de453a0db7feb3c2d323f05fac7f6 (patch) | |
| tree | 1894ac3b207713d2d60b58bf3c64c5450fe29167 /source3/smbd | |
| parent | 49a520217ceb04cbd4278a3bce7cb1f8dd04b018 (diff) | |
| download | samba-c01f02a4b97de453a0db7feb3c2d323f05fac7f6.tar.gz samba-c01f02a4b97de453a0db7feb3c2d323f05fac7f6.tar.bz2 samba-c01f02a4b97de453a0db7feb3c2d323f05fac7f6.zip | |
s3: Avoid "file_existed" in smbd_calculate_maximum_allowed_access
We access the file by name anyway, so we can just try to access it. The file
system will for sure tell us if the file does not exist.
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/open.c | 71 |
1 files changed, 35 insertions, 36 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c index db4831d3d2..d9491b5f04 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1479,9 +1479,10 @@ static void schedule_defer_open(struct share_mode_lock *lck, static NTSTATUS smbd_calculate_maximum_allowed_access( connection_struct *conn, const struct smb_filename *smb_fname, - bool file_existed, uint32_t *p_access_mask) { + struct security_descriptor *sd; + uint32_t access_granted; NTSTATUS status; if (get_current_uid(conn) == (uid_t)0) { @@ -1489,47 +1490,45 @@ static NTSTATUS smbd_calculate_maximum_allowed_access( return NT_STATUS_OK; } - if (file_existed) { - struct security_descriptor *sd; - uint32_t access_granted = 0; - - status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, - (SECINFO_OWNER | - SECINFO_GROUP | - SECINFO_DACL),&sd); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("smbd_calculate_access_mask: " - "Could not get acl on file %s: %s\n", - smb_fname_str_dbg(smb_fname), - nt_errstr(status))); - return NT_STATUS_ACCESS_DENIED; - } + status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, + (SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL),&sd); + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { /* - * Never test FILE_READ_ATTRIBUTES. se_access_check() - * also takes care of owner WRITE_DAC and READ_CONTROL. + * File did not exist */ - status = se_access_check(sd, - get_current_nttok(conn), - (*p_access_mask & ~FILE_READ_ATTRIBUTES), - &access_granted); + *p_access_mask = FILE_GENERIC_ALL; + return NT_STATUS_OK; + } + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("smbd_calculate_access_mask: " + "Could not get acl on file %s: %s\n", + smb_fname_str_dbg(smb_fname), + nt_errstr(status))); + return NT_STATUS_ACCESS_DENIED; + } - TALLOC_FREE(sd); + /* + * Never test FILE_READ_ATTRIBUTES. se_access_check() + * also takes care of owner WRITE_DAC and READ_CONTROL. + */ + status = se_access_check(sd, + get_current_nttok(conn), + (*p_access_mask & ~FILE_READ_ATTRIBUTES), + &access_granted); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("smbd_calculate_access_mask: " - "Access denied on file %s: " - "when calculating maximum access\n", - smb_fname_str_dbg(smb_fname))); - return NT_STATUS_ACCESS_DENIED; - } + TALLOC_FREE(sd); - *p_access_mask = (access_granted | FILE_READ_ATTRIBUTES); - return NT_STATUS_OK; + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("smbd_calculate_access_mask: " + "Access denied on file %s: " + "when calculating maximum access\n", + smb_fname_str_dbg(smb_fname))); + return NT_STATUS_ACCESS_DENIED; } - - *p_access_mask = FILE_GENERIC_ALL; + *p_access_mask = (access_granted | FILE_READ_ATTRIBUTES); return NT_STATUS_OK; } @@ -1553,7 +1552,7 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn, if (access_mask & MAXIMUM_ALLOWED_ACCESS) { status = smbd_calculate_maximum_allowed_access( - conn, smb_fname, file_existed, &access_mask); + conn, smb_fname, &access_mask); if (!NT_STATUS_IS_OK(status)) { return status; |