summaryrefslogtreecommitdiff
path: root/source4/ntvfs/posix
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2005-01-09 08:27:35 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:08:33 -0500
commit3feb4423f3ec35dd3dfa2c358797a4f6a86b2fb5 (patch)
treec419b77fc5484fbfc945e8bfe7634fb16b201c67 /source4/ntvfs/posix
parentc32f3129bc0894079e71beee7c3101283adbc9bf (diff)
downloadsamba-3feb4423f3ec35dd3dfa2c358797a4f6a86b2fb5.tar.gz
samba-3feb4423f3ec35dd3dfa2c358797a4f6a86b2fb5.tar.bz2
samba-3feb4423f3ec35dd3dfa2c358797a4f6a86b2fb5.zip
r4615: added acl checking on directory search in pvfs
(This used to be commit 0e61a422bd9a1596a284c176f033e958bbeaa8ce)
Diffstat (limited to 'source4/ntvfs/posix')
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c9
-rw-r--r--source4/ntvfs/posix/pvfs_mkdir.c4
-rw-r--r--source4/ntvfs/posix/pvfs_rename.c10
-rw-r--r--source4/ntvfs/posix/pvfs_search.c11
-rw-r--r--source4/ntvfs/posix/pvfs_setfileinfo.c2
5 files changed, 24 insertions, 12 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 590c9c18b5..e38f2c9ecb 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -452,9 +452,10 @@ NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs,
/*
access check for creating a new file/directory - no access mask supplied
*/
-NTSTATUS pvfs_access_check_create_nomask(struct pvfs_state *pvfs,
- struct smbsrv_request *req,
- struct pvfs_filename *name)
+NTSTATUS pvfs_access_check_parent(struct pvfs_state *pvfs,
+ struct smbsrv_request *req,
+ struct pvfs_filename *name,
+ uint32_t access_mask)
{
struct pvfs_filename *parent;
NTSTATUS status;
@@ -464,7 +465,7 @@ NTSTATUS pvfs_access_check_create_nomask(struct pvfs_state *pvfs,
return status;
}
- return pvfs_access_check_simple(pvfs, req, parent, SEC_DIR_ADD_FILE);
+ return pvfs_access_check_simple(pvfs, req, parent, access_mask);
}
diff --git a/source4/ntvfs/posix/pvfs_mkdir.c b/source4/ntvfs/posix/pvfs_mkdir.c
index 42b5109673..03bc16cdbe 100644
--- a/source4/ntvfs/posix/pvfs_mkdir.c
+++ b/source4/ntvfs/posix/pvfs_mkdir.c
@@ -44,7 +44,7 @@ static NTSTATUS pvfs_t2mkdir(struct pvfs_state *pvfs,
return NT_STATUS_OBJECT_NAME_COLLISION;
}
- status = pvfs_access_check_create_nomask(pvfs, req, name);
+ status = pvfs_access_check_parent(pvfs, req, name, SEC_DIR_ADD_FILE);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -114,7 +114,7 @@ NTSTATUS pvfs_mkdir(struct ntvfs_module_context *ntvfs,
return NT_STATUS_OBJECT_NAME_COLLISION;
}
- status = pvfs_access_check_create_nomask(pvfs, req, name);
+ status = pvfs_access_check_parent(pvfs, req, name, SEC_DIR_ADD_FILE);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
diff --git a/source4/ntvfs/posix/pvfs_rename.c b/source4/ntvfs/posix/pvfs_rename.c
index 91ad9aa3d9..b70f129888 100644
--- a/source4/ntvfs/posix/pvfs_rename.c
+++ b/source4/ntvfs/posix/pvfs_rename.c
@@ -22,7 +22,7 @@
#include "includes.h"
#include "vfs_posix.h"
-
+#include "librpc/gen_ndr/ndr_security.h"
/*
resolve a wildcard rename pattern. This works on one component of the name
@@ -281,7 +281,7 @@ static NTSTATUS pvfs_rename_mv(struct ntvfs_module_context *ntvfs,
return status;
}
- status = pvfs_access_check_create_nomask(pvfs, req, name2);
+ status = pvfs_access_check_parent(pvfs, req, name2, SEC_DIR_ADD_FILE);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -360,7 +360,7 @@ static NTSTATUS pvfs_rename_nt(struct ntvfs_module_context *ntvfs,
switch (ren->ntrename.in.flags) {
case RENAME_FLAG_RENAME:
- status = pvfs_access_check_create_nomask(pvfs, req, name2);
+ status = pvfs_access_check_parent(pvfs, req, name2, SEC_DIR_ADD_FILE);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -370,7 +370,7 @@ static NTSTATUS pvfs_rename_nt(struct ntvfs_module_context *ntvfs,
break;
case RENAME_FLAG_HARD_LINK:
- status = pvfs_access_check_create_nomask(pvfs, req, name2);
+ status = pvfs_access_check_parent(pvfs, req, name2, SEC_DIR_ADD_FILE);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -380,7 +380,7 @@ static NTSTATUS pvfs_rename_nt(struct ntvfs_module_context *ntvfs,
break;
case RENAME_FLAG_COPY:
- status = pvfs_access_check_create_nomask(pvfs, req, name2);
+ status = pvfs_access_check_parent(pvfs, req, name2, SEC_DIR_ADD_FILE);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
diff --git a/source4/ntvfs/posix/pvfs_search.c b/source4/ntvfs/posix/pvfs_search.c
index 34f5f2208e..2106758784 100644
--- a/source4/ntvfs/posix/pvfs_search.c
+++ b/source4/ntvfs/posix/pvfs_search.c
@@ -24,6 +24,7 @@
#include "vfs_posix.h"
#include "system/time.h"
#include "system/filesys.h"
+#include "librpc/gen_ndr/ndr_security.h"
/* the state of a search started with pvfs_search_first() */
@@ -325,6 +326,11 @@ static NTSTATUS pvfs_search_first_old(struct ntvfs_module_context *ntvfs,
return STATUS_NO_MORE_FILES;
}
+ status = pvfs_access_check_parent(pvfs, req, name, SEC_DIR_TRAVERSE | SEC_DIR_LIST);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
/* we initially make search a child of the request, then if we
need to keep it long term we steal it for the private
structure */
@@ -461,6 +467,11 @@ NTSTATUS pvfs_search_first(struct ntvfs_module_context *ntvfs,
return NT_STATUS_NO_SUCH_FILE;
}
+ status = pvfs_access_check_parent(pvfs, req, name, SEC_DIR_TRAVERSE | SEC_DIR_LIST);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
/* we initially make search a child of the request, then if we
need to keep it long term we steal it for the private
structure */
diff --git a/source4/ntvfs/posix/pvfs_setfileinfo.c b/source4/ntvfs/posix/pvfs_setfileinfo.c
index 8c4d016ccc..9934388461 100644
--- a/source4/ntvfs/posix/pvfs_setfileinfo.c
+++ b/source4/ntvfs/posix/pvfs_setfileinfo.c
@@ -139,7 +139,7 @@ static NTSTATUS pvfs_setfileinfo_rename(struct pvfs_state *pvfs,
}
}
- status = pvfs_access_check_create_nomask(pvfs, req, name2);
+ status = pvfs_access_check_parent(pvfs, req, name2, SEC_DIR_ADD_FILE);
if (!NT_STATUS_IS_OK(status)) {
return status;
}