From a2be29dfa32a675249f743632a24450d5147a112 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 12 Mar 2010 14:31:47 -0800
Subject: Missed a couple more uses of conn->server_info->ptok that need to be
 get_current_nttok(conn)

Centralize the root check into smb1_file_se_access_check()
so this is used by modules/vfs_acl_common.c also.

Jeremy.
---
 source3/include/proto.h          |  9 +++++----
 source3/modules/vfs_acl_common.c | 16 +++++++++-------
 source3/smbd/open.c              | 41 +++++++++++++++++++++-------------------
 3 files changed, 36 insertions(+), 30 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5b4304d27d..6e210de458 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -6594,10 +6594,11 @@ void reply_nttranss(struct smb_request *req);
 
 /* The following definitions come from smbd/open.c  */
 
-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
-                          const NT_USER_TOKEN *token,
-                          uint32_t access_desired,
-                          uint32_t *access_granted);
+NTSTATUS smb1_file_se_access_check(connection_struct *conn,
+				const struct security_descriptor *sd,
+				const NT_USER_TOKEN *token,
+				uint32_t access_desired,
+				uint32_t *access_granted);
 NTSTATUS fd_close(files_struct *fsp);
 void change_file_owner_to_parent(connection_struct *conn,
 				 const char *inherit_from_dir,
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 5d6cfe7f3e..9e356b933e 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -471,8 +471,12 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
 			nt_errstr(status) ));
 		return status;
 	}
-	status = smb1_file_se_access_check(parent_desc,
-					handle->conn->server_info->ptok,
+	if (pp_parent_desc) {
+		*pp_parent_desc = parent_desc;
+	}
+	status = smb1_file_se_access_check(handle->conn,
+					parent_desc,
+					get_current_nttok(handle->conn),
 					access_mask,
 					&access_granted);
 	if(!NT_STATUS_IS_OK(status)) {
@@ -485,9 +489,6 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
 			nt_errstr(status) ));
 		return status;
 	}
-	if (pp_parent_desc) {
-		*pp_parent_desc = parent_desc;
-	}
 	return NT_STATUS_OK;
 }
 
@@ -535,8 +536,9 @@ static int open_acl_common(vfs_handle_struct *handle,
 				&pdesc);
         if (NT_STATUS_IS_OK(status)) {
 		/* See if we can access it. */
-		status = smb1_file_se_access_check(pdesc,
-					handle->conn->server_info->ptok,
+		status = smb1_file_se_access_check(handle->conn,
+					pdesc,
+					get_current_nttok(handle->conn),
 					fsp->access_mask,
 					&access_granted);
 		if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 3eb727f96b..0834e6d3d3 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -50,11 +50,23 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
  SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES.
 ****************************************************************************/
 
-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
-                          const NT_USER_TOKEN *token,
-                          uint32_t access_desired,
-                          uint32_t *access_granted)
+NTSTATUS smb1_file_se_access_check(struct connection_struct *conn,
+				const struct security_descriptor *sd,
+				const NT_USER_TOKEN *token,
+				uint32_t access_desired,
+				uint32_t *access_granted)
 {
+	*access_granted = 0;
+
+	if (get_current_uid(conn) == (uid_t)0) {
+		/* I'm sorry sir, I didn't know you were root... */
+		*access_granted = access_desired;
+		if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+			*access_granted |= FILE_GENERIC_ALL;
+		}
+		return NT_STATUS_OK;
+	}
+
 	return se_access_check(sd,
 				token,
 				(access_desired & ~FILE_READ_ATTRIBUTES),
@@ -74,17 +86,6 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
 	NTSTATUS status;
 	struct security_descriptor *sd = NULL;
 
-	*access_granted = 0;
-
-	if (get_current_uid(conn) == (uid_t)0) {
-		/* I'm sorry sir, I didn't know you were root... */
-		*access_granted = access_mask;
-		if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
-			*access_granted |= FILE_GENERIC_ALL;
-		}
-		return NT_STATUS_OK;
-	}
-
 	status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
 			(OWNER_SECURITY_INFORMATION |
 			GROUP_SECURITY_INFORMATION |
@@ -98,8 +99,9 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
 		return status;
 	}
 
-	status = smb1_file_se_access_check(sd,
-				conn->server_info->ptok,
+	status = smb1_file_se_access_check(conn,
+				sd,
+				get_current_nttok(conn),
 				access_mask,
 				access_granted);
 
@@ -1419,8 +1421,9 @@ static NTSTATUS calculate_access_mask(connection_struct *conn,
 				return NT_STATUS_ACCESS_DENIED;
 			}
 
-			status = smb1_file_se_access_check(sd,
-					conn->server_info->ptok,
+			status = smb1_file_se_access_check(conn,
+					sd,
+					get_current_nttok(conn),
 					access_mask,
 					&access_granted);
 
-- 
cgit