diff options
author | Andrew Tridgell <tridge@samba.org> | 2009-10-18 10:32:06 +1100 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-10-18 10:32:06 +1100 |
commit | a2aa13da3272b62b8d47d624a0d7fc65825adf6e (patch) | |
tree | 00c41be53adf5cd6a0b262ce82a890963875d7d8 /source4/ntvfs | |
parent | bae8c93d9b5b2ae9a028573559b2fd0d306c0530 (diff) | |
download | samba-a2aa13da3272b62b8d47d624a0d7fc65825adf6e.tar.gz samba-a2aa13da3272b62b8d47d624a0d7fc65825adf6e.tar.bz2 samba-a2aa13da3272b62b8d47d624a0d7fc65825adf6e.zip |
s4-pvfs: more fixes for ACLs on file creation
The passed in SD is not used to limit the access mask allowed on file
create.
Diffstat (limited to 'source4/ntvfs')
-rw-r--r-- | source4/ntvfs/posix/pvfs_acl.c | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 842aced6f2..5931a38f2e 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -659,14 +659,10 @@ NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs, } status = pvfs_resolve_parent(pvfs, req, name, &parent); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + NT_STATUS_NOT_OK_RETURN(status); status = pvfs_access_check_simple(pvfs, req, parent, SEC_DIR_ADD_FILE); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + NT_STATUS_NOT_OK_RETURN(status); if (*sd == NULL) { status = pvfs_acl_inherited_sd(pvfs, req, req, parent, container, sd); @@ -679,14 +675,19 @@ NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs, /* expand the generic access bits to file specific bits */ *access_mask = pvfs_translate_mask(*access_mask); - if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) { - *access_mask &= ~SEC_FILE_READ_ATTRIBUTE; + + if (*access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { + *access_mask |= SEC_RIGHTS_FILE_ALL; + *access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED; } - if (*sd == NULL) { - return pvfs_access_check_unix(pvfs, req, NULL, access_mask); + if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) { + /* on SMB, this bit is always granted, even if not + asked for */ + *access_mask |= SEC_FILE_READ_ATTRIBUTE; } - return sec_access_check(*sd, token, *access_mask, access_mask); + + return NT_STATUS_OK; } /* |