diff options
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/include/proto.h | 6 | ||||
| -rw-r--r-- | source3/lib/sharesec.c | 10 | ||||
| -rw-r--r-- | source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 4 | ||||
| -rw-r--r-- | source3/smbd/service.c | 13 | ||||
| -rw-r--r-- | source3/smbd/uid.c | 11 |
5 files changed, 28 insertions, 16 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 91905d3cbc..c6fd474978 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -244,8 +244,10 @@ struct security_descriptor *get_share_security( TALLOC_CTX *ctx, const char *ser size_t *psize); bool set_share_security(const char *share_name, struct security_descriptor *psd); bool delete_share_security(const char *servicename); -bool share_access_check(const struct security_token *token, const char *sharename, - uint32 desired_access); +bool share_access_check(const struct security_token *token, + const char *sharename, + uint32 desired_access, + uint32_t *pgranted); bool parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, struct security_descriptor **ppsd); /* The following definitions come from lib/smbrun.c */ diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c index ed971a97a6..0c06d7bbee 100644 --- a/source3/lib/sharesec.c +++ b/source3/lib/sharesec.c @@ -410,8 +410,10 @@ bool delete_share_security(const char *servicename) Can this user access with share with the required permissions ? ********************************************************************/ -bool share_access_check(const struct security_token *token, const char *sharename, - uint32 desired_access) +bool share_access_check(const struct security_token *token, + const char *sharename, + uint32 desired_access, + uint32_t *pgranted) { uint32 granted; NTSTATUS status; @@ -428,6 +430,10 @@ bool share_access_check(const struct security_token *token, const char *sharenam TALLOC_FREE(psd); + if (pgranted != NULL) { + *pgranted = granted; + } + return NT_STATUS_IS_OK(status); } diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c index 7299d4cb77..7d52a761b6 100644 --- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c @@ -541,8 +541,8 @@ static bool is_enumeration_allowed(struct pipes_struct *p, if (!lp_access_based_share_enum(snum)) return true; - return share_access_check(p->session_info->security_token, lp_servicename(snum), - FILE_READ_DATA); + return share_access_check(p->session_info->security_token, + lp_servicename(snum), FILE_READ_DATA, NULL); } /******************************************************************* diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 73c3c4f20c..c1d4dd1799 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -644,14 +644,15 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, { bool can_write = False; - can_write = share_access_check(conn->session_info->security_token, - lp_servicename(snum), - FILE_WRITE_DATA); + can_write = share_access_check( + conn->session_info->security_token, + lp_servicename(snum), FILE_WRITE_DATA, NULL); if (!can_write) { - if (!share_access_check(conn->session_info->security_token, - lp_servicename(snum), - FILE_READ_DATA)) { + if (!share_access_check( + conn->session_info->security_token, + lp_servicename(snum), FILE_READ_DATA, + NULL)) { /* No access, read or write. */ DEBUG(0,("make_connection: connection to %s " "denied due to security " diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 285b158a19..8114144574 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -121,8 +121,9 @@ static bool check_user_ok(connection_struct *conn, conn); if (!readonly_share && - !share_access_check(session_info->security_token, lp_servicename(snum), - FILE_WRITE_DATA)) { + !share_access_check(session_info->security_token, + lp_servicename(snum), FILE_WRITE_DATA, + NULL)) { /* smb.conf allows r/w, but the security descriptor denies * write. Fall back to looking at readonly. */ readonly_share = True; @@ -130,9 +131,11 @@ static bool check_user_ok(connection_struct *conn, "security descriptor\n")); } - if (!share_access_check(session_info->security_token, lp_servicename(snum), + if (!share_access_check(session_info->security_token, + lp_servicename(snum), readonly_share ? - FILE_READ_DATA : FILE_WRITE_DATA)) { + FILE_READ_DATA : FILE_WRITE_DATA, + NULL)) { return False; } |