From 6f4e782c5343fc46f9029a549c419e5f3c1e6190 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 11 Oct 2010 17:10:28 -0700 Subject: Canonicalize incoming and outgoing ACLs. Jeremy. --- source3/smbd/nttrans.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 55 insertions(+), 4 deletions(-) (limited to 'source3/smbd') diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 40a47fde5c..017703ee97 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -836,11 +836,15 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len, struct security_descriptor *psd = NULL; NTSTATUS status; + if (sd_len == 0) { + return NT_STATUS_INVALID_PARAMETER; + } + if (!CAN_WRITE(fsp->conn)) { return NT_STATUS_ACCESS_DENIED; } - if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) { + if (!lp_nt_acl_support(SNUM(fsp->conn))) { return NT_STATUS_OK; } @@ -857,9 +861,43 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len, security_info_sent &= ~SECINFO_GROUP; } - /* Convert all the generic bits. */ - security_acl_map_generic(psd->dacl, &file_generic_mapping); - security_acl_map_generic(psd->sacl, &file_generic_mapping); + /* Ensure we have at least one thing set. */ + if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* Ensure we have the rights to do this. */ + if (security_info_sent & SECINFO_OWNER) { + if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) { + return NT_STATUS_ACCESS_DENIED; + } + } + + if (security_info_sent & SECINFO_GROUP) { + if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) { + return NT_STATUS_ACCESS_DENIED; + } + } + + if (security_info_sent & SECINFO_DACL) { + if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) { + return NT_STATUS_ACCESS_DENIED; + } + /* Convert all the generic bits. */ + if (psd->dacl) { + security_acl_map_generic(psd->dacl, &file_generic_mapping); + } + } + + if (security_info_sent & SECINFO_SACL) { + if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) { + return NT_STATUS_ACCESS_DENIED; + } + /* Convert all the generic bits. */ + if (psd->sacl) { + security_acl_map_generic(psd->sacl, &file_generic_mapping); + } + } if (DEBUGLEVEL >= 10) { DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp))); @@ -1808,6 +1846,19 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn, return status; } + if (!(security_info_wanted & SECINFO_OWNER)) { + psd->owner_sid = NULL; + } + if (!(security_info_wanted & SECINFO_GROUP)) { + psd->group_sid = NULL; + } + if (!(security_info_wanted & SECINFO_DACL)) { + psd->dacl = NULL; + } + if (!(security_info_wanted & SECINFO_SACL)) { + psd->sacl = NULL; + } + /* If the SACL/DACL is NULL, but was requested, we mark that it is * present in the reply to match Windows behavior */ if (psd->sacl == NULL && -- cgit