diff options
| author | Jeremy Allison <jra@samba.org> | 2001-12-17 19:16:22 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2001-12-17 19:16:22 +0000 |
| commit | 02c3dcd8ee6f4007ea6db9fbcd75b16129a657eb (patch) | |
| tree | b1f1c8ca874121e8d2fdc7e9454917d15272cd12 /source3 | |
| parent | db9d6374a312ba5acb89d80bb41dbd5fdc8d0b17 (diff) | |
| download | samba-02c3dcd8ee6f4007ea6db9fbcd75b16129a657eb.tar.gz samba-02c3dcd8ee6f4007ea6db9fbcd75b16129a657eb.tar.bz2 samba-02c3dcd8ee6f4007ea6db9fbcd75b16129a657eb.zip | |
Made "hide unreadable" work much more reliably (just for Volker :-).
Jeremy.
(This used to be commit f6d6825bc86662d54ff3920d7d5390d151f34b0f)
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/smbd/dir.c | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index 1e2858ae26..faf5bca52d 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -666,12 +666,47 @@ check to see if a user can read a file. This is only approximate, it is used as part of the "hide unreadable" option. Don't use it for anything security sensitive ********************************************************************/ + static BOOL user_can_read_file(connection_struct *conn, char *name) { + extern struct current_user current_user; SMB_STRUCT_STAT ste; + SEC_DESC *psd = NULL; + size_t sd_size; + files_struct *fsp; + int smb_action; + NTSTATUS status; + uint32 access_granted; + + ZERO_STRUCT(ste); /* if we can't stat it does not show it */ - if (vfs_stat(conn, name, &ste) != 0) return False; + if (vfs_stat(conn, name, &ste) != 0) + return False; + + /* Pseudo-open the file (note - no fd's created). */ + + if(S_ISDIR(ste.st_mode)) + fsp = open_directory(conn, name, &ste, SET_DENY_MODE(DENY_NONE), FILE_OPEN, + unix_mode(conn,aRONLY|aDIR, name), &smb_action); + else + fsp = open_file_stat(conn,name,&ste,DOS_OPEN_RDONLY,&smb_action); + if (!fsp) + return False; + + /* Get NT ACL -allocated in main loop talloc context. No free needed here. */ + sd_size = conn->vfs_ops.fget_nt_acl(fsp, fsp->fd, &psd); + close_file(fsp, True); + + /* No access if SD get failed. */ + if (!sd_size) + return False; + + return se_access_check(psd, current_user.nt_user_token, FILE_READ_DATA, + &access_granted, &status); + +#if 0 + /* Old - crappy check :-). JRA */ if (ste.st_uid == conn->uid) { return (ste.st_mode & S_IRUSR) == S_IRUSR; @@ -688,6 +723,7 @@ static BOOL user_can_read_file(connection_struct *conn, char *name) } return (ste.st_mode & S_IROTH) == S_IROTH; +#endif } /******************************************************************* |