summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/libcli/security/access_check.c11
-rw-r--r--source4/ntvfs/posix/pvfs_open.c10
2 files changed, 17 insertions, 4 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index 7e70736d09..425a5c2b6d 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -49,8 +49,9 @@ static uint32_t access_check_max_allowed(struct security_descriptor *sd,
unsigned i;
if (sid_active_in_token(sd->owner_sid, token)) {
- granted |= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
+ granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
}
+ granted |= SEC_STD_DELETE;
for (i = 0;i<sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
@@ -84,15 +85,17 @@ NTSTATUS sec_access_check(struct security_descriptor *sd,
int i;
uint32_t bits_remaining;
+ *access_granted = access_desired;
+ bits_remaining = access_desired;
+
/* handle the maximum allowed flag */
if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
access_desired |= access_check_max_allowed(sd, token);
access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
+ *access_granted = access_desired;
+ bits_remaining = access_desired & ~SEC_STD_DELETE;
}
- *access_granted = access_desired;
- bits_remaining = access_desired;
-
#if 0
/* this is where we should check for the "system security" privilege, once we
move to the full security_token and not just the nt_user_token */
diff --git a/source4/ntvfs/posix/pvfs_open.c b/source4/ntvfs/posix/pvfs_open.c
index 17740f7636..a53deda270 100644
--- a/source4/ntvfs/posix/pvfs_open.c
+++ b/source4/ntvfs/posix/pvfs_open.c
@@ -103,6 +103,7 @@ static NTSTATUS pvfs_open_directory(struct pvfs_state *pvfs,
int fnum;
NTSTATUS status;
uint32_t create_action;
+ uint32_t access_mask = io->generic.in.access_mask;
if (name->stream_name) {
return NT_STATUS_NOT_A_DIRECTORY;
@@ -152,6 +153,14 @@ static NTSTATUS pvfs_open_directory(struct pvfs_state *pvfs,
return NT_STATUS_TOO_MANY_OPENED_FILES;
}
+ if (name->exists) {
+ /* check the security descriptor */
+ status = pvfs_access_check(pvfs, req, name, &access_mask);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
f->fnum = fnum;
f->session = req->session;
f->smbpid = req->smbpid;
@@ -160,6 +169,7 @@ static NTSTATUS pvfs_open_directory(struct pvfs_state *pvfs,
f->lock_count = 0;
f->share_access = io->generic.in.share_access;
f->impersonation = io->generic.in.impersonation;
+ f->access_mask = access_mask;
f->handle->pvfs = pvfs;
f->handle->name = talloc_steal(f->handle, name);