summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-02-17 11:13:35 -0800
committerJeremy Allison <jra@samba.org>2010-02-17 11:13:35 -0800
commit5564e7147fdbb136775b990d9a5d37d4d232d936 (patch)
treec2e0ea6249a27f30643a2ad57c0b61b490616247 /source3
parent94074eb2e6d260e467ad3b6d354beeb282fe1ada (diff)
downloadsamba-5564e7147fdbb136775b990d9a5d37d4d232d936.tar.gz
samba-5564e7147fdbb136775b990d9a5d37d4d232d936.tar.bz2
samba-5564e7147fdbb136775b990d9a5d37d4d232d936.zip
Fix bug #6557 - Do not work VFS full_audit
Re-arrange the operations order so SMB_VFS_CONNECT is done first as root (to allow modules to correctly initialize themselves). Reviewed modules to check if they needed CONNECT invoked as a user (which we previously did) and it turns out any of them that cared needed root permissions anyway. Jeremy.
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/service.c85
1 files changed, 34 insertions, 51 deletions
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 54926eb600..4bc5ca1a5c 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -845,13 +845,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
goto err_root_exit;
}
- if ((!conn->printer) && (!conn->ipc)) {
- conn->notify_ctx = notify_init(conn, server_id_self(),
- smbd_messaging_context(),
- smbd_event_context(),
- conn);
- }
-
/* ROOT Activities: */
/* explicitly check widelinks here so that we can correctly warn
* in the logs. */
@@ -881,6 +874,26 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
}
claimed_connection = true;
+ /* Invoke VFS make connection hook - this must be the first
+ filesystem operation that we do. */
+
+ if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
+ conn->server_info->unix_name) < 0) {
+ DEBUG(0,("make_connection: VFS make connection failed!\n"));
+ *pstatus = NT_STATUS_UNSUCCESSFUL;
+ goto err_root_exit;
+ }
+
+ /* Any error exit after here needs to call the disconnect hook. */
+ on_err_call_dis_hook = true;
+
+ if ((!conn->printer) && (!conn->ipc)) {
+ conn->notify_ctx = notify_init(conn, server_id_self(),
+ smbd_messaging_context(),
+ smbd_event_context(),
+ conn);
+ }
+
/*
* Fix compatibility issue pointed out by Volker.
* We pass the conn->connectpath to the preexec
@@ -953,6 +966,20 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
}
}
+#ifdef WITH_FAKE_KASERVER
+ if (lp_afs_share(snum)) {
+ afs_login(conn);
+ }
+#endif
+
+ /*
+ * we've finished with the user stuff - go back to root
+ * so the SMB_VFS_STAT call will only fail on path errors,
+ * not permission problems.
+ */
+ change_to_root_user();
+/* ROOT Activites: */
+
/*
* If widelinks are disallowed we need to canonicalise the connect
* path here to ensure we don't have any symlinks in the
@@ -961,14 +988,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
* depend on the realpath() pointer in the vfs table. JRA.
*/
if (!lp_widelinks(snum)) {
-
- /* We need to do the path canonicalization
- * as root, as we may not have rights to
- * this path as the user. */
-
- change_to_root_user();
-
-/* ROOT Activites: */
if (!canonicalize_connect_path(conn)) {
DEBUG(0, ("canonicalize_connect_path failed "
"for service %s, path %s\n",
@@ -977,21 +996,8 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
*pstatus = NT_STATUS_BAD_NETWORK_NAME;
goto err_root_exit;
}
-
- /* Back to the user for the VFS_CONNECT call. */
- if (!change_to_user(conn, conn->vuid)) {
- *pstatus = NT_STATUS_LOGON_FAILURE;
- goto err_root_exit;
- }
-/* USER Activites: */
}
-#ifdef WITH_FAKE_KASERVER
- if (lp_afs_share(snum)) {
- afs_login(conn);
- }
-#endif
-
/* Add veto/hide lists */
if (!IS_IPC(conn) && !IS_PRINT(conn)) {
set_namearray( &conn->veto_list, lp_veto_files(snum));
@@ -1000,21 +1006,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
set_namearray( &conn->aio_write_behind_list,
lp_aio_write_behind(snum));
}
-
- /* Invoke VFS make connection hook - do this before the VFS_STAT call
- to allow any filesystems needing user credentials to initialize
- themselves. */
-
- if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
- conn->server_info->unix_name) < 0) {
- DEBUG(0,("make_connection: VFS make connection failed!\n"));
- *pstatus = NT_STATUS_UNSUCCESSFUL;
- goto err_root_exit;
- }
-
- /* Any error exit after here needs to call the disconnect hook. */
- on_err_call_dis_hook = true;
-
status = create_synthetic_smb_fname(talloc_tos(), conn->connectpath,
NULL, NULL, &smb_fname_cpath);
if (!NT_STATUS_IS_OK(status)) {
@@ -1028,14 +1019,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
I have disabled this chdir check (tridge) */
/* the alternative is just to check the directory exists */
- /*
- * we've finished with the user stuff - go back to root
- * so the SMB_VFS_STAT call will only fail on path errors,
- * not permission problems.
- */
- change_to_root_user();
-
-/* ROOT Activites: */
if ((ret = SMB_VFS_STAT(conn, smb_fname_cpath)) != 0 ||
!S_ISDIR(smb_fname_cpath->st.st_ex_mode)) {
if (ret == 0 && !S_ISDIR(smb_fname_cpath->st.st_ex_mode)) {