summaryrefslogtreecommitdiff
path: root/source4/ntvfs
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2006-09-16 15:37:45 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:18:51 -0500
commitc5e67b855560b85040c6caa17e0cab641b0e273e (patch)
treee37b4c518b0a443eb85c9e9b9ae8983323c26635 /source4/ntvfs
parent9c53e146020c16e2a26e24fb327d69ed8da14c8e (diff)
downloadsamba-c5e67b855560b85040c6caa17e0cab641b0e273e.tar.gz
samba-c5e67b855560b85040c6caa17e0cab641b0e273e.tar.bz2
samba-c5e67b855560b85040c6caa17e0cab641b0e273e.zip
r18581: also check for SEC_STD_DELETE, and split out the check into a separate
static function (This used to be commit 024ca6a91cdf2c0f8999c220b4459a72c45bfd32)
Diffstat (limited to 'source4/ntvfs')
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c29
1 files changed, 21 insertions, 8 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 1dd40c0e06..62ef196977 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -336,6 +336,25 @@ NTSTATUS pvfs_acl_query(struct pvfs_state *pvfs,
/*
+ check the read only bit against any of the write access bits
+*/
+static BOOL pvfs_read_only(struct pvfs_state *pvfs, uint32_t access_mask)
+{
+ if ((pvfs->flags & PVFS_FLAG_READONLY) &&
+ (access_mask & (SEC_FILE_WRITE_DATA |
+ SEC_FILE_APPEND_DATA |
+ SEC_FILE_WRITE_EA |
+ SEC_FILE_WRITE_ATTRIBUTE |
+ SEC_STD_DELETE |
+ SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER |
+ SEC_DIR_DELETE_CHILD))) {
+ return True;
+ }
+ return False;
+}
+
+/*
default access check function based on unix permissions
doing this saves on building a full security descriptor
for the common case of access check on files with no
@@ -349,10 +368,7 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
uid_t uid = geteuid();
uint32_t max_bits = SEC_RIGHTS_FILE_READ | SEC_FILE_ALL;
- if ((pvfs->flags & PVFS_FLAG_READONLY) &&
- ((*access_mask) & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA |
- SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE |
- SEC_DIR_DELETE_CHILD))) {
+ if (pvfs_read_only(pvfs, *access_mask)) {
return NT_STATUS_ACCESS_DENIED;
}
@@ -397,10 +413,7 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs,
NTSTATUS status;
struct security_descriptor *sd;
- if ((pvfs->flags & PVFS_FLAG_READONLY) &&
- ((*access_mask) & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA |
- SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE |
- SEC_DIR_DELETE_CHILD))) {
+ if (pvfs_read_only(pvfs, *access_mask)) {
return NT_STATUS_ACCESS_DENIED;
}