diff options
-rw-r--r-- | source3/smbd/dir.c | 4 | ||||
-rw-r--r-- | source3/smbd/file_access.c | 51 | ||||
-rw-r--r-- | source3/smbd/open.c | 4 | ||||
-rw-r--r-- | source3/smbd/proto.h | 6 |
4 files changed, 9 insertions, 56 deletions
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index cc74886810..8af0dad8c3 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -1161,7 +1161,9 @@ static bool user_can_read_file(connection_struct *conn, return True; } - return can_access_file_acl(conn, smb_fname, FILE_READ_DATA); + return NT_STATUS_IS_OK(smbd_check_access_rights(conn, + smb_fname, + FILE_READ_DATA)); } /******************************************************************* diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c index 81cb7bd43f..ae13a0a2a5 100644 --- a/source3/smbd/file_access.c +++ b/source3/smbd/file_access.c @@ -27,53 +27,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_ACLS -/** - * Security descriptor / NT Token level access check function. - */ -bool can_access_file_acl(struct connection_struct *conn, - const struct smb_filename *smb_fname, - uint32_t access_mask) -{ - NTSTATUS status; - uint32_t access_granted; - struct security_descriptor *secdesc = NULL; - bool ret; - - if (get_current_uid(conn) == (uid_t)0) { - /* I'm sorry sir, I didn't know you were root... */ - return true; - } - - status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, - (SECINFO_OWNER | - SECINFO_GROUP | - SECINFO_DACL), - &secdesc); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(5, ("Could not get acl: %s\n", nt_errstr(status))); - ret = false; - goto out; - } - - status = se_access_check(secdesc, get_current_nttok(conn), - access_mask, &access_granted); - ret = NT_STATUS_IS_OK(status); - - if (DEBUGLEVEL >= 10) { - DEBUG(10,("can_access_file_acl for file %s " - "access_mask 0x%x, access_granted 0x%x " - "access %s\n", - smb_fname_str_dbg(smb_fname), - (unsigned int)access_mask, - (unsigned int)access_granted, - ret ? "ALLOWED" : "DENIED" )); - NDR_PRINT_DEBUG(security_descriptor, secdesc); - } - out: - TALLOC_FREE(secdesc); - return ret; -} - /**************************************************************************** Actually emulate the in-kernel access checking for delete access. We need this to successfully return ACCESS_DENIED on a file open for delete access. @@ -169,7 +122,9 @@ bool can_delete_file_in_directory(connection_struct *conn, * check the file DELETE permission separately. */ - ret = can_access_file_acl(conn, smb_fname_parent, FILE_DELETE_CHILD); + ret = NT_STATUS_IS_OK(smbd_check_access_rights(conn, + smb_fname_parent, + FILE_DELETE_CHILD)); out: TALLOC_FREE(dname); TALLOC_FREE(smb_fname_parent); diff --git a/source3/smbd/open.c b/source3/smbd/open.c index a1a247fca2..eb9f13e22c 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -3266,7 +3266,9 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, if ((create_disposition != FILE_CREATE) && (access_mask & DELETE_ACCESS) && (!(can_delete_file_in_directory(conn, smb_fname) || - can_access_file_acl(conn, smb_fname, DELETE_ACCESS)))) { + NT_STATUS_IS_OK(smbd_check_access_rights(conn, + smb_fname, + DELETE_ACCESS))))) { status = NT_STATUS_ACCESS_DENIED; DEBUG(10,("create_file_unixpath: open file %s " "for delete ACCESS_DENIED\n", diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index 0b7c28fb91..0a68a6c318 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -303,14 +303,8 @@ void reply_openerror(struct smb_request *req, NTSTATUS status); /* The following definitions come from smbd/file_access.c */ -bool can_access_file_acl(struct connection_struct *conn, - const struct smb_filename *smb_fname, - uint32_t access_mask); bool can_delete_file_in_directory(connection_struct *conn, const struct smb_filename *smb_fname); -bool can_access_file_data(connection_struct *conn, - const struct smb_filename *smb_fname, - uint32 access_mask); bool can_write_to_file(connection_struct *conn, const struct smb_filename *smb_fname); bool directory_has_default_acl(connection_struct *conn, const char *fname); |