4 files changed, 170 insertions, 18 deletions

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 4d42664f25..a41c810816 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -3765,7 +3765,7 @@ BOOL api_srvsvc_rpc(pipes_struct *p);
 /*The following definitions come from  rpc_server/srv_srvsvc_nt.c  */
 
 BOOL share_info_db_init(void);
-SEC_DESC *get_share_security( TALLOC_CTX *ctx, int snum, size_t *psize);
+BOOL share_access_check(int snum, uint16 vuid, uint32 desired_access);
 uint32 _srv_net_srv_get_info(pipes_struct *p, SRV_Q_NET_SRV_GET_INFO *q_u, SRV_R_NET_SRV_GET_INFO *r_u);
 uint32 _srv_net_file_enum(pipes_struct *p, SRV_Q_NET_FILE_ENUM *q_u, SRV_R_NET_FILE_ENUM *r_u);
 uint32 _srv_net_conn_enum(pipes_struct *p, SRV_Q_NET_CONN_ENUM *q_u, SRV_R_NET_CONN_ENUM *r_u);
diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c
index 5c1c16c02a..4395a20e46 100644
--- a/source3/rpc_server/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srv_srvsvc_nt.c
@@ -158,7 +158,7 @@ static SEC_DESC *get_share_security_default( TALLOC_CTX *ctx, int snum, size_t *
  Pull a security descriptor from the share tdb.
  ********************************************************************/
 
-SEC_DESC *get_share_security( TALLOC_CTX *ctx, int snum, size_t *psize)
+static SEC_DESC *get_share_security( TALLOC_CTX *ctx, int snum, size_t *psize)
 {
 	prs_struct ps;
 	fstring key;
@@ -184,7 +184,7 @@ SEC_DESC *get_share_security( TALLOC_CTX *ctx, int snum, size_t *psize)
  Store a security descriptor in the share db.
  ********************************************************************/
 
-static BOOL set_share_security(TALLOC_CTX *ctx, int snum, SEC_DESC *psd)
+static BOOL set_share_security(TALLOC_CTX *ctx, const char *share_name, SEC_DESC *psd)
 {
 	prs_struct ps;
 	TALLOC_CTX *mem_ctx = NULL;
@@ -201,13 +201,13 @@ static BOOL set_share_security(TALLOC_CTX *ctx, int snum, SEC_DESC *psd)
         goto out;
     }
  
-	slprintf(key, sizeof(key)-1, "SECDESC/%s", lp_servicename(snum));
+	slprintf(key, sizeof(key)-1, "SECDESC/%s", share_name);
  
     if (tdb_prs_store(share_tdb, key, &ps)==0) {
         ret = True;
-        DEBUG(5,("set_share_security: stored secdesc for %s\n", lp_servicename(snum) ));
+        DEBUG(5,("set_share_security: stored secdesc for %s\n", share_name ));
     } else {
-        DEBUG(1,("set_share_security: Failed to store secdesc for %s\n", lp_servicename(snum) ));
+        DEBUG(1,("set_share_security: Failed to store secdesc for %s\n", share_name ));
     }
 
     /* Free malloc'ed memory */
@@ -243,6 +243,73 @@ static BOOL delete_share_security(int snum)
 }
 
 /*******************************************************************
+ Does this security descriptor map to a read only share ?
+********************************************************************/
+
+static BOOL read_only_share_sd(SEC_DESC *psd)
+{
+	int i;
+	SEC_ACL *ps_dacl = psd->dacl;
+
+	if (!ps_dacl)
+		return True;
+
+	for (i = 0; i < ps_dacl->num_aces; i++) {
+		SEC_ACE *psa = &ps_dacl->ace[i];
+
+		if (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED &&
+				psa->info.mask & FILE_WRITE_DATA)
+			return False;
+	}
+
+	return True;
+}
+
+/*******************************************************************
+ Can this user access with share with the required permissions ?
+********************************************************************/
+
+BOOL share_access_check(int snum, uint16 vuid, uint32 desired_access)
+{
+	uint32 granted, status;
+	TALLOC_CTX *mem_ctx = NULL;
+	SEC_DESC *psd = NULL;
+	size_t sd_size;
+	struct current_user tmp_user;
+	struct current_user *puser = NULL;
+	user_struct *vuser = get_valid_user_struct(vuid);
+	BOOL ret = True;
+
+	mem_ctx = talloc_init();
+	if (mem_ctx == NULL)
+		return False;
+
+	psd = get_share_security(mem_ctx, snum, &sd_size);
+
+	if (!psd)
+		goto out;
+
+	if (vuser) {
+		ZERO_STRUCT(tmp_user);
+		tmp_user.vuid = vuid;
+		tmp_user.uid = vuser->uid;
+		tmp_user.gid = vuser->gid;
+		tmp_user.ngroups = vuser->n_groups;
+		tmp_user.groups = vuser->groups;
+		tmp_user.nt_user_token = vuser->nt_user_token;
+		puser = &tmp_user;
+	}
+
+	ret = se_access_check(psd, puser, desired_access, &granted, &status);
+
+  out:
+
+	talloc_destroy(mem_ctx);
+
+	return ret;
+}
+
+/*******************************************************************
  Fill in a share info level 502 structure.
  ********************************************************************/
 
@@ -1120,7 +1187,8 @@ uint32 _srv_net_share_set_info(pipes_struct *p, SRV_Q_NET_SHARE_SET_INFO *q_u, S
 	int snum;
 	int ret;
 	char *ptr;
-	BOOL read_only;
+	SEC_DESC *psd = NULL;
+	BOOL read_only = False;
 
 	DEBUG(5,("_srv_net_share_set_info: %d\n", __LINE__));
 
@@ -1139,27 +1207,76 @@ uint32 _srv_net_share_set_info(pipes_struct *p, SRV_Q_NET_SHARE_SET_INFO *q_u, S
 	if (user.uid != 0)
 		return ERROR_ACCESS_DENIED;
 
-	if (!lp_change_share_cmd())
-		return ERROR_ACCESS_DENIED;
-
 	switch (q_u->info_level) {
 	case 1:
+		/* Not enough info in a level 1 to do anything. */
 		return ERROR_ACCESS_DENIED;
-		break;
 	case 2:
-		return ERROR_ACCESS_DENIED;
+		unistr2_to_ascii(comment, &q_u->info.share.info2.info_2_str.uni_remark, sizeof(share_name));
+		unistr2_to_ascii(pathname, &q_u->info.share.info2.info_2_str.uni_path, sizeof(share_name));
+		type = q_u->info.share.info2.info_2.type;
+		read_only = False; /* No SD means "Everyone full access. */
 		break;
 	case 502:
-		/* we set sd's here. FIXME. JRA */
-		return ERROR_ACCESS_DENIED;
+		unistr2_to_ascii(comment, &q_u->info.share.info502.info_502_str.uni_remark, sizeof(share_name));
+		unistr2_to_ascii(pathname, &q_u->info.share.info502.info_502_str.uni_path, sizeof(share_name));
+		type = q_u->info.share.info502.info_502.type;
+		psd = q_u->info.share.info502.info_502_str.sd;
+		read_only = read_only_share_sd(psd);
 		break;
 	case 1005:
 		return ERROR_ACCESS_DENIED;
-		break;
 	default:
 		DEBUG(5,("_srv_net_share_set_info: unsupported switch value %d\n", q_u->info_level));
 		return NT_STATUS_INVALID_INFO_CLASS;
-		break;
+	}
+
+	/* We can only modify disk shares. */
+	if (type != STYPE_DISKTREE)
+		return ERROR_ACCESS_DENIED;
+		
+	/* Check if the pathname is valid. */
+	if (!(ptr = valid_share_pathname( pathname )))
+		return ERRbadpath;
+
+	/* Ensure share name, pathname and comment don't contain '"' characters. */
+	string_replace(share_name, '"', ' ');
+	string_replace(ptr, '"', ' ');
+	string_replace(comment, '"', ' ');
+
+	/* Only call modify function if something changed. */
+
+	if (read_only != lp_readonly(snum) || strcmp(ptr, lp_pathname(snum)) || strcmp(comment, lp_comment(snum)) ) {
+		if (!lp_change_share_cmd())
+			return ERROR_ACCESS_DENIED;
+
+		slprintf(command, sizeof(command)-1, "%s \"%s\" \"%s\" \"%s\" \"%s\"",
+				lp_change_share_cmd(), share_name, ptr, comment,
+				read_only ? "read only = yes" : "read only = no" );
+		dos_to_unix(command, True);  /* Convert to unix-codepage */
+
+		DEBUG(10,("_srv_net_share_set_info: Running [%s]\n", command ));
+		if ((ret = smbrun(command, NULL, False)) != 0) {
+			DEBUG(0,("_srv_net_share_set_info: Running [%s] returned (%d)\n", command, ret ));
+			return ERROR_ACCESS_DENIED;
+		}
+
+		/* Send SIGHUP to process group. */
+		kill(0, SIGHUP);
+	}
+
+	/* Replace SD if changed. */
+	if (psd) {
+		SEC_DESC *old_sd;
+		size_t sd_size;
+
+		old_sd = get_share_security(p->mem_ctx, snum, &sd_size);
+
+		if (old_sd && !sec_desc_equal(old_sd, psd)) {
+			if (!set_share_security(p->mem_ctx, share_name, psd))
+				DEBUG(0,("_srv_net_share_set_info: Failed to change security info in share %s.\n",
+					share_name ));
+		}
 	}
 
 	DEBUG(5,("_srv_net_share_set_info: %d\n", __LINE__));
@@ -1168,7 +1285,7 @@ uint32 _srv_net_share_set_info(pipes_struct *p, SRV_Q_NET_SHARE_SET_INFO *q_u, S
 }
 
 /*******************************************************************
- Net share add. Call 'add_share_command "sharename" "pathname" "comment"'
+ Net share add. Call 'add_share_command "sharename" "pathname" "comment" "read only = xxx"'
 ********************************************************************/
 
 uint32 _srv_net_share_add(pipes_struct *p, SRV_Q_NET_SHARE_ADD *q_u, SRV_R_NET_SHARE_ADD *r_u)
@@ -1183,6 +1300,7 @@ uint32 _srv_net_share_add(pipes_struct *p, SRV_Q_NET_SHARE_ADD *q_u, SRV_R_NET_S
 	int ret;
 	char *ptr;
 	BOOL read_only = False;
+	SEC_DESC *psd = NULL;
 
 	DEBUG(5,("_srv_net_share_add: %d\n", __LINE__));
 
@@ -1208,11 +1326,12 @@ uint32 _srv_net_share_add(pipes_struct *p, SRV_Q_NET_SHARE_ADD *q_u, SRV_R_NET_S
 		read_only = False; /* No SD means "Everyone full access. */
 		break;
 	case 502:
-		/* we set sd's here. FIXME. JRA */
 		unistr2_to_ascii(share_name, &q_u->info.share.info502.info_502_str.uni_netname, sizeof(share_name));
 		unistr2_to_ascii(comment, &q_u->info.share.info502.info_502_str.uni_remark, sizeof(share_name));
 		unistr2_to_ascii(pathname, &q_u->info.share.info502.info_502_str.uni_path, sizeof(share_name));
 		type = q_u->info.share.info502.info_502.type;
+		psd = q_u->info.share.info502.info_502_str.sd;
+		read_only = read_only_share_sd(psd);
 		break;
 	case 1005:
 		/* DFS only level. */
@@ -1252,6 +1371,12 @@ uint32 _srv_net_share_add(pipes_struct *p, SRV_Q_NET_SHARE_ADD *q_u, SRV_R_NET_S
 		return ERROR_ACCESS_DENIED;
 	}
 
+	if (psd) {
+		if (!set_share_security(p->mem_ctx, share_name, psd))
+			DEBUG(0,("_srv_net_share_add: Failed to add security info to share %s.\n",
+				share_name ));
+	}
+
 	/* Send SIGHUP to process group. */
 	kill(0, SIGHUP);
 
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index adf57b3f55..84b7109294 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -765,6 +765,10 @@ static void usage(char *pname)
 		exit(1);
 	}
 
+	if (!share_info_db_init()) {
+		exit(1);
+	}
+
 	if(!initialize_password_db(False)) {
 		exit(1);
 	}
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index e20786595c..11ae11054a 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -343,6 +343,29 @@ connection_struct *make_connection(char *service,char *user,char *password, int
 
 	conn->read_only = lp_readonly(snum);
 
+	/*
+	 * New code to check if there's a share security descripter
+	 * added from NT server manager. This is an additional check
+	 * before the smb.conf checks are done. JRA.
+	 */
+
+	{
+		BOOL can_write = share_access_check(snum, vuid, FILE_WRITE_DATA);
+
+		if (!can_write) {
+			if (!share_access_check(snum, vuid, FILE_READ_DATA)) {
+				/* No access, read or write. */
+				*ecode = ERRaccess;
+				DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n",
+					service ));
+				conn_free(conn);
+				return NULL;
+			} else {
+				conn->read_only = True;
+			}
+		}
+	}
+
 	{
 		pstring list;
 		StrnCpy(list,lp_readlist(snum),sizeof(pstring)-1);