4 files changed, 9 insertions, 56 deletions

diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index cc74886810..8af0dad8c3 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -1161,7 +1161,9 @@ static bool user_can_read_file(connection_struct *conn,
 		return True;
 	}
 
-	return can_access_file_acl(conn, smb_fname, FILE_READ_DATA);
+	return NT_STATUS_IS_OK(smbd_check_access_rights(conn,
+				smb_fname,
+				FILE_READ_DATA));
 }
 
 /*******************************************************************
diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c
index 81cb7bd43f..ae13a0a2a5 100644
--- a/source3/smbd/file_access.c
+++ b/source3/smbd/file_access.c
@@ -27,53 +27,6 @@
 #undef  DBGC_CLASS
 #define DBGC_CLASS DBGC_ACLS
 
-/**
- * Security descriptor / NT Token level access check function.
- */
-bool can_access_file_acl(struct connection_struct *conn,
-			 const struct smb_filename *smb_fname,
-			 uint32_t access_mask)
-{
-	NTSTATUS status;
-	uint32_t access_granted;
-	struct security_descriptor *secdesc = NULL;
-	bool ret;
-
-	if (get_current_uid(conn) == (uid_t)0) {
-		/* I'm sorry sir, I didn't know you were root... */
-		return true;
-	}
-
-	status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
-				    (SECINFO_OWNER |
-				     SECINFO_GROUP |
-				     SECINFO_DACL),
-				    &secdesc);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(5, ("Could not get acl: %s\n", nt_errstr(status)));
-		ret = false;
-		goto out;
-	}
-
-	status = se_access_check(secdesc, get_current_nttok(conn),
-				 access_mask, &access_granted);
-	ret = NT_STATUS_IS_OK(status);
-
-	if (DEBUGLEVEL >= 10) {
-		DEBUG(10,("can_access_file_acl for file %s "
-			"access_mask 0x%x, access_granted 0x%x "
-			"access %s\n",
-			smb_fname_str_dbg(smb_fname),
-			(unsigned int)access_mask,
-			(unsigned int)access_granted,
-			ret ? "ALLOWED" : "DENIED" ));
-		NDR_PRINT_DEBUG(security_descriptor, secdesc);
-	}
- out:
-	TALLOC_FREE(secdesc);
-	return ret;
-}
-
 /****************************************************************************
  Actually emulate the in-kernel access checking for delete access. We need
  this to successfully return ACCESS_DENIED on a file open for delete access.
@@ -169,7 +122,9 @@ bool can_delete_file_in_directory(connection_struct *conn,
 	 * check the file DELETE permission separately.
 	 */
 
-	ret = can_access_file_acl(conn, smb_fname_parent, FILE_DELETE_CHILD);
+	ret = NT_STATUS_IS_OK(smbd_check_access_rights(conn,
+				smb_fname_parent,
+				FILE_DELETE_CHILD));
  out:
 	TALLOC_FREE(dname);
 	TALLOC_FREE(smb_fname_parent);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index a1a247fca2..eb9f13e22c 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3266,7 +3266,9 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
 	if ((create_disposition != FILE_CREATE)
 	    && (access_mask & DELETE_ACCESS)
 	    && (!(can_delete_file_in_directory(conn, smb_fname) ||
-		 can_access_file_acl(conn, smb_fname, DELETE_ACCESS)))) {
+		 NT_STATUS_IS_OK(smbd_check_access_rights(conn,
+				smb_fname,
+				DELETE_ACCESS))))) {
 		status = NT_STATUS_ACCESS_DENIED;
 		DEBUG(10,("create_file_unixpath: open file %s "
 			  "for delete ACCESS_DENIED\n",
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 0b7c28fb91..0a68a6c318 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -303,14 +303,8 @@ void reply_openerror(struct smb_request *req, NTSTATUS status);
 
 /* The following definitions come from smbd/file_access.c  */
 
-bool can_access_file_acl(struct connection_struct *conn,
-			 const struct smb_filename *smb_fname,
-			 uint32_t access_mask);
 bool can_delete_file_in_directory(connection_struct *conn,
 				  const struct smb_filename *smb_fname);
-bool can_access_file_data(connection_struct *conn,
-			  const struct smb_filename *smb_fname,
-			  uint32 access_mask);
 bool can_write_to_file(connection_struct *conn,
 		       const struct smb_filename *smb_fname);
 bool directory_has_default_acl(connection_struct *conn, const char *fname);