summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/smbd/dir.c4
-rw-r--r--source3/smbd/file_access.c51
-rw-r--r--source3/smbd/open.c4
-rw-r--r--source3/smbd/proto.h6
4 files changed, 9 insertions, 56 deletions
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index cc74886810..8af0dad8c3 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -1161,7 +1161,9 @@ static bool user_can_read_file(connection_struct *conn,
return True;
}
- return can_access_file_acl(conn, smb_fname, FILE_READ_DATA);
+ return NT_STATUS_IS_OK(smbd_check_access_rights(conn,
+ smb_fname,
+ FILE_READ_DATA));
}
/*******************************************************************
diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c
index 81cb7bd43f..ae13a0a2a5 100644
--- a/source3/smbd/file_access.c
+++ b/source3/smbd/file_access.c
@@ -27,53 +27,6 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_ACLS
-/**
- * Security descriptor / NT Token level access check function.
- */
-bool can_access_file_acl(struct connection_struct *conn,
- const struct smb_filename *smb_fname,
- uint32_t access_mask)
-{
- NTSTATUS status;
- uint32_t access_granted;
- struct security_descriptor *secdesc = NULL;
- bool ret;
-
- if (get_current_uid(conn) == (uid_t)0) {
- /* I'm sorry sir, I didn't know you were root... */
- return true;
- }
-
- status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
- (SECINFO_OWNER |
- SECINFO_GROUP |
- SECINFO_DACL),
- &secdesc);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(5, ("Could not get acl: %s\n", nt_errstr(status)));
- ret = false;
- goto out;
- }
-
- status = se_access_check(secdesc, get_current_nttok(conn),
- access_mask, &access_granted);
- ret = NT_STATUS_IS_OK(status);
-
- if (DEBUGLEVEL >= 10) {
- DEBUG(10,("can_access_file_acl for file %s "
- "access_mask 0x%x, access_granted 0x%x "
- "access %s\n",
- smb_fname_str_dbg(smb_fname),
- (unsigned int)access_mask,
- (unsigned int)access_granted,
- ret ? "ALLOWED" : "DENIED" ));
- NDR_PRINT_DEBUG(security_descriptor, secdesc);
- }
- out:
- TALLOC_FREE(secdesc);
- return ret;
-}
-
/****************************************************************************
Actually emulate the in-kernel access checking for delete access. We need
this to successfully return ACCESS_DENIED on a file open for delete access.
@@ -169,7 +122,9 @@ bool can_delete_file_in_directory(connection_struct *conn,
* check the file DELETE permission separately.
*/
- ret = can_access_file_acl(conn, smb_fname_parent, FILE_DELETE_CHILD);
+ ret = NT_STATUS_IS_OK(smbd_check_access_rights(conn,
+ smb_fname_parent,
+ FILE_DELETE_CHILD));
out:
TALLOC_FREE(dname);
TALLOC_FREE(smb_fname_parent);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index a1a247fca2..eb9f13e22c 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3266,7 +3266,9 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
if ((create_disposition != FILE_CREATE)
&& (access_mask & DELETE_ACCESS)
&& (!(can_delete_file_in_directory(conn, smb_fname) ||
- can_access_file_acl(conn, smb_fname, DELETE_ACCESS)))) {
+ NT_STATUS_IS_OK(smbd_check_access_rights(conn,
+ smb_fname,
+ DELETE_ACCESS))))) {
status = NT_STATUS_ACCESS_DENIED;
DEBUG(10,("create_file_unixpath: open file %s "
"for delete ACCESS_DENIED\n",
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 0b7c28fb91..0a68a6c318 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -303,14 +303,8 @@ void reply_openerror(struct smb_request *req, NTSTATUS status);
/* The following definitions come from smbd/file_access.c */
-bool can_access_file_acl(struct connection_struct *conn,
- const struct smb_filename *smb_fname,
- uint32_t access_mask);
bool can_delete_file_in_directory(connection_struct *conn,
const struct smb_filename *smb_fname);
-bool can_access_file_data(connection_struct *conn,
- const struct smb_filename *smb_fname,
- uint32 access_mask);
bool can_write_to_file(connection_struct *conn,
const struct smb_filename *smb_fname);
bool directory_has_default_acl(connection_struct *conn, const char *fname);