From bec9baf88a54d0e0d3fe1065c27df0f76c960e65 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 8 Sep 2010 20:54:38 -0700 Subject: Don't rely on the underlying ACL modules to enforce share level security when setting ACLs, check at the call level as well. Jeremy. --- source3/smbd/nttrans.c | 5 +++++ source3/smbd/smb2_setinfo.c | 5 +++++ 2 files changed, 10 insertions(+) (limited to 'source3/smbd') diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 78774dc1b0..1e4e06cf26 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -1967,6 +1967,11 @@ static void call_nt_transact_set_security_desc(connection_struct *conn, return; } + if (!CAN_WRITE(fsp->conn)) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + return; + } + if(!lp_nt_acl_support(SNUM(conn))) { goto done; } diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c index 3e1bdd2771..4b837c13b3 100644 --- a/source3/smbd/smb2_setinfo.c +++ b/source3/smbd/smb2_setinfo.c @@ -311,6 +311,11 @@ static struct tevent_req *smbd_smb2_setinfo_send(TALLOC_CTX *mem_ctx, case 0x03:/* SMB2_SETINFO_SECURITY */ { + if (!CAN_WRITE(conn)) { + tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED); + return tevent_req_post(req, ev); + } + status = set_sd(fsp, in_input_buffer.data, in_input_buffer.length, -- cgit