From 7dcc247164f53e6a8b36c4024a88fb3759c06b4d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 30 Mar 2005 02:24:47 +0000 Subject: r6124: Fix for bug #2242 from Tom Lackemann - don't set SD on an NTtransact create unless we created the file. Jeremy. (This used to be commit b42eaf424e34544fae3f0fc473694e61dda2a11c) --- source3/smbd/nttrans.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'source3/smbd/nttrans.c') diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 49a6d48ce1..9dcbea5c25 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -1461,15 +1461,28 @@ static int call_nt_transact_create(connection_struct *conn, char *inbuf, char *o } /* - * Now try and apply the desired SD. + * According to the MS documentation, the only time the security + * descriptor is applied to the opened file is iff we *created* the + * file; an existing file stays the same. + * + * Also, it seems (from observation) that you can open the file with + * any access mask but you can still write the sd. We need to override + * the granted access before we call set_sd + * Patch for bug #2242 from Tom Lackemann . */ - if (lp_nt_acl_support(SNUM(conn)) && sd_len && - !NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) { - close_file(fsp,False); - restore_case_semantics(conn, file_attributes); - return ERROR_NT(status); - } + if (lp_nt_acl_support(SNUM(conn)) && sd_len && smb_action == FILE_WAS_CREATED) { + uint32 saved_access = fsp->desired_access; + + fsp->desired_access = FILE_GENERIC_ALL; + + if (!NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) { + close_file(fsp,False); + restore_case_semantics(conn, file_attributes); + return ERROR_NT(status); + } + fsp->desired_access = saved_access; + } restore_case_semantics(conn, file_attributes); -- cgit