summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 3d276431dc..1dd40c0e06 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -349,6 +349,13 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
uid_t uid = geteuid();
uint32_t max_bits = SEC_RIGHTS_FILE_READ | SEC_FILE_ALL;
+ if ((pvfs->flags & PVFS_FLAG_READONLY) &&
+ ((*access_mask) & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA |
+ SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE |
+ SEC_DIR_DELETE_CHILD))) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
/* owner and root get extra permissions */
if (uid == 0) {
max_bits |= SEC_STD_ALL | SEC_FLAG_SYSTEM_SECURITY;
@@ -390,6 +397,13 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs,
NTSTATUS status;
struct security_descriptor *sd;
+ if ((pvfs->flags & PVFS_FLAG_READONLY) &&
+ ((*access_mask) & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA |
+ SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE |
+ SEC_DIR_DELETE_CHILD))) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
acl = talloc(req, struct xattr_NTACL);
if (acl == NULL) {
return NT_STATUS_NO_MEMORY;