summaryrefslogtreecommitdiff
path: root/source3/smbd/file_access.c
AgeCommit message (Collapse)AuthorFilesLines
2013-04-17smbd: Convert can_delete_file_in_directory to synthetic_smb_fnameVolker Lendecke1-5/+3
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2012-11-20More for #9374 - Allow smb2.acls torture test to pass against smbd with a ↵Jeremy Allison1-2/+1
POSIX ACLs backend. Change can_delete_directory() to can_delete_directory_fsp(), as we only ever call this from an open directory file handle. This allows us to use OpenDir_fsp() instead of OpenDir(). OpenDir() re-checks the ACL on the directory, which may refuse DIR_LIST permissions. OpenDir_fsp() does not. As this is a file-server internal check to see if the directory actually contains any files before setting delete on close, we can ignore the ACL here (Windows does). Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Tue Nov 20 01:46:28 CET 2012 on sn-devel-104
2012-10-11smbd: Add mem_ctx to {f,}get_nt_acl VFS callAndrew Bartlett1-2/+2
This makes it clear which context the returned SD is allocated on, as a number of callers do not want it on talloc_tos(). As the ACL transformation allocates and then no longer needs a great deal of memory, a talloc_stackframe() call is used to contain the memory that is not returned further up the stack. Andrew Bartlett
2012-09-14Add bool use_privs parameter to smbd_check_access_rights()Jeremy Allison1-0/+2
If this is set we should use it in preference to blindly assuming root can do anything. Currently set to 'false' in (most) callers.
2012-03-29Based on code from Richard Sharpe <realrichardsharpe@gmail.com>,Jeremy Allison1-1/+4
ensure we don't crash on a NULL DACL.
2011-12-13s3: Move can_set_delete_on_close to smbd/Volker Lendecke1-0/+59
2011-11-04can_write_to_file() does now take share permissions into account. Fix comment.Jeremy Allison1-1/+0
2011-11-04Remove can_access_file_acl(). We no longer need this duplicate code (hurrah!).Jeremy Allison1-48/+3
2011-11-04Remove can_access_file_data() - make it use the standard ↵Jeremy Allison1-56/+3
smbd_check_access_rights() instead.
2011-11-04Add const to the smb_filename argument of smbd_check_access_rights().Jeremy Allison1-13/+5
2011-06-24Fix bug #8254 - "acl check permissions = no" does not work in all casesJeremy Allison1-0/+5
Move lp_acl_check_permissions() into can_delete_file_in_directory() where it makes sense. Remove ACL check when requesting DELETE_ACCESS when lp_acl_check_permissions is false. Thanks to John Janosik @ IBM for noticing this. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Jun 24 01:18:11 CEST 2011 on sn-devel-104
2011-03-30s3: include smbd/smbd.h where needed.Günther Deschner1-0/+1
Guenther
2011-03-30s3-includes: only include system/filesys.h when needed.Günther Deschner1-0/+1
Guenther
2010-10-12libcli/security Provide a common, top level libcli/security/security.hAndrew Bartlett1-0/+1
This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-06-03s3-security: use shared SECINFO_DACL define.Günther Deschner1-2/+2
Guenther
2010-06-03s3-security: use shared SECINFO_GROUP define.Günther Deschner1-1/+1
Guenther
2010-06-03s3-security: use shared SECINFO_OWNER define.Günther Deschner1-1/+1
Guenther
2010-05-31s3-build: only use ndr_security.h where needed.Günther Deschner1-0/+1
Guenther
2010-03-15Switch over to using get_currect_XXX() accessor functions.Jeremy Allison1-7/+7
Jeremy.
2010-03-15Rever e80ceb1d7355c8c46a2ed90d5721cf367640f4e8 "Remove more uses of "extern ↵Jeremy Allison1-4/+4
struct current_user current_user;"." As requested by Volker, split this into smaller commits. Jeremy.
2010-03-12Remove more uses of "extern struct current_user current_user;".Jeremy Allison1-4/+4
Use accessor functions to get to this value. Tidies up much of the user context code. Volker, please look at the changes in smbd/uid.c to familiarize yourself with these changes as I think they make the logic in there cleaner. Cause smbd/posix_acls.c code to look at current user context, not stored context on the conn struct - allows correct use of these function calls under a become_root()/unbecome_root() pair. Jeremy.
2010-01-12Make file access control decisions a lot easier to debug (at level 10).Jeremy Allison1-0/+11
Jeremy.
2009-07-21s3: Remove unnecessary callers of get_full_smb_filenameTim Prouty1-9/+1
This often times means explicitly denying certain operations on a stream as they are not supported or don't make sense at a particular level. At some point in the future these can be enabled, but for now it's better to remove ambiguity
2009-06-25s3 file_access: Convert some more functions over to use smb_filneameTim Prouty1-16/+3
2009-06-24s3: Plumb smb_filename through SMB_VFS_STAT and SMB_VFS_LSTATTim Prouty1-40/+83
This patch introduces two new temporary helper functions vfs_stat_smb_fname and vfs_lstat_smb_fname. They basically allowed me to call the new smb_filename version of stat, while avoiding plumbing it through callers that are still too inconvenient. As the conversion moves along, I will be able to remove callers of this, with the goal being to remove all callers. There was also a bug in create_synthetic_smb_fname_split (also a temporary utility function) that caused it to incorrectly handle filenames with ':'s in them when in posix mode. This is now fixed.
2009-06-18Add some const to the stat struct in the dosmode calls.Jeremy Allison1-8/+3
Fix a couple more unix_convert uses to filename_convert. Fix bug in acl_group_override() where an uninitialized struct could be used. Move unix_convert with wildcard use in SMBsearch reply to boilerplate code. Jeremy.
2009-06-17s3: Plumb smb_filename from create_file all of the way down to fd_openTim Prouty1-6/+19
I used the smb_filename struct everywhere that was feasible for the first pass. There are still some places in this path that need to be changed to use smb_filename, but this is a good start. I also: - Removed fname/path arguments from a few functions that weren't really using them. - Added a utility function for detecting whether an smb_filename is a stream.
2009-06-11Fix bug #6297 - owner of sticky directory cannot delete files created by others.Jeremy Allison1-2/+13
The reason we couldn't delete was we were erroring out early if requestor was not the owner of the file we wanted to delete, instead of checking if the requestor owned the directory as well. If either of these is true, we must go on and check the ACL. Karolin, this is a must for 3.4.0 and also 3.3.next. I'll update the bug report with patches for 3.4.0 and 3.3.next and ask vl to review. Jeremy.
2009-05-26Introduce "struct stat_ex" as a replacement for SMB_STRUCT_STATVolker Lendecke1-7/+7
This patch introduces struct stat_ex { dev_t st_ex_dev; ino_t st_ex_ino; mode_t st_ex_mode; nlink_t st_ex_nlink; uid_t st_ex_uid; gid_t st_ex_gid; dev_t st_ex_rdev; off_t st_ex_size; struct timespec st_ex_atime; struct timespec st_ex_mtime; struct timespec st_ex_ctime; struct timespec st_ex_btime; /* birthtime */ blksize_t st_ex_blksize; blkcnt_t st_ex_blocks; }; typedef struct stat_ex SMB_STRUCT_STAT; It is really large because due to the friendly libc headers playing macro tricks with fields like st_ino, so I renamed them to st_ex_xxx. Why this change? To support birthtime, we already have quite a few #ifdef's at places where it does not really belong. With a stat struct that we control, we can consolidate the nanosecond timestamps and the birthtime deep in the VFS stat calls. At this moment it is triggered by a request to support the birthtime field for GPFS. GPFS does not extend the system level struct stat, but instead has a separate call that gets us the additional information beyond posix. Without being able to do that within the VFS stat calls, that support would have to be scattered around the main smbd code. It will very likely break all the onefs modules, but I think the changes will be reasonably easy to do.
2009-03-04Fix bug #6154 - zfs does not honor admin users.Jeremy Allison1-0/+5
Jeremy
2009-02-02Fix bug #6082 - smbd_gpfs_getacl failed: Windows client can´t rename or ↵Jeremy Allison1-8/+3
delete file This fixes the generic rename/delete problem for 3.3.0 and above. Fixed slightly differently to discussions, user viewable modified ACLs are not a good idea :-). Jeremy.
2008-12-31Rename parent_dirname_talloc() to parent_dirname()Volker Lendecke1-4/+1
2008-10-31Unify se_access_check with the S4 code. Will makeJeremy Allison1-4/+3
calculation of SEC_FLAG_MAXIMUM_ALLOWED much easier for files. Jeremy.
2008-06-19Wrap the unix token info in a unix_user_token in auth_serversupplied_infoVolker Lendecke1-4/+4
No functional change, this is a preparation for more current_user ref removal (This used to be commit dcaedf345e62ab74ea87f0a3fa1e3199c75c5445)
2008-06-19Fix checks in can_delete_file_in_directory()Volker Lendecke1-6/+15
With at least NFSv4 ACLs around the write permission for the owner is a bogus check if we can delete a file in a directory. Like in Windows, there are two ways which can grant us such: First, the DELETE permission on the file itself, or if that does not help, the DELETE_CHILD permission on the directory. It might be a bit more code that runs, but essentially we should end up with the same set of syscalls in the non-acl case. (This used to be commit daa9b056645a45edfb3a70e3536011ebe5678970)
2008-06-18file_access: add a function header comment for can_access_file_acl().Michael Adam1-0/+3
Michael (This used to be commit 7d5fb873bde0a84de522650945effeaf602c759e)
2008-06-17file_access: remove unneeded stat buf parameter from can_access_file_acl().Michael Adam1-3/+3
This is a security descriptor level function only. Michael (This used to be commit 5931540fa1681f026fed42df387d17e43c493c47)
2008-06-15Remove the reference to current_user from file_access.cVolker Lendecke1-8/+6
conn holds the current user info (This used to be commit 093bc5f2b33ebf90e04bc17e51b1695b1b932bf2)
2008-05-02Remove the "stat_open()" function, flag, and all associated code. It was onlyJeremy Allison1-4/+4
being (correctly) used in the can_read/can_write checks for hide unreadable/unwritable and this is more properly done using the functions in smbd/file_access.c. Preparing to do NT access checks on all file access. Jeremy. (This used to be commit 6bfb06ad95963ae2acb67c4694a98282d3b29faa)
2008-05-02Move directory_has_default_acl() to file_access.c, belongsJeremy Allison1-0/+27
there as it no longer uses explicit POSIX ACL calls. Jeremy. (This used to be commit ac1eac9b0d07b7b3d341c06ef1a8fd8f3c05a618)
2007-12-19Change the prototype of the vfs function get_nt_acl().Michael Adam1-62/+5
Up to now, get_nt_acl() took a files_struct pointer (fsp) and a file name. All the underlying functions should need and now do need (after the previous preparatory work), is a connection_struct and a file name. The connection_struct is already there in the vfs_handle passed to the vfs functions. So the files_struct argument can be eliminated. This eliminates the need of calling open_file_stat in a couple of places to produce the fsp needed. Michael (This used to be commit b5f600fab53c9d159a958c59795db3ba4a8acc63)
2007-11-13Fix potential orphaned open files.Michael Adam1-2/+4
Calling can_access_file could lead to orphaned open files when SMB_VFS_GET_NT_ACL returned ENOSYS (not implemented). Michael (This used to be commit f4f700cf0c1657c36e801fab20fe7b1a4efcb714)
2007-11-13Make [f]get_nt_acl return NTSTATUSVolker Lendecke1-8/+7
(This used to be commit dcbe1bf942d017a3cd5084c6ef605a13912f795b)
2007-11-11Cosmetic fixVolker Lendecke1-3/+5
Do directory vs file open before entering open_file_stat (This used to be commit cd62122916defbfb57468c3b82a60b766fc4652e)
2007-11-06Move some access check functions that are not posix-acl specificMichael Adam1-0/+239
to a new source file of their own. Michael (This used to be commit 9dd18bb534bca6b5de6cad9580b48681b36c0832)