From 1e29d730663382875d96c275c60e022a1c33a2d1 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 2 Sep 2013 17:37:50 +0200 Subject: s3:smbd: ease file server upgrades from 3.6 and earlier with "acl allow execute aways" 3.6 and earlier allowed open for execution when execute permissions are not present on a file. This has been fixed in Samba 4.0. This patch changes smbd to skip the execute bit from the ACL check in the open code if "acl allow execute always = yes", hence re-establishing the old behaviour in this case. Signed-off-by: Michael Adam Reviewed-by: Volker Lendecke Reviewed-by: David Disseldorp --- source3/smbd/open.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'source3') diff --git a/source3/smbd/open.c b/source3/smbd/open.c index e5ea71576b..b9618b41dc 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -76,6 +76,7 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn, struct security_descriptor *sd = NULL; uint32_t rejected_share_access; uint32_t rejected_mask = access_mask; + uint32_t do_not_check_mask = 0; rejected_share_access = access_mask & ~(conn->share_access); @@ -143,10 +144,23 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn, * se_file_access_check() also takes care of * owner WRITE_DAC and READ_CONTROL. */ + do_not_check_mask = FILE_READ_ATTRIBUTES; + + /* + * Samba 3.6 and earlier granted execute access even + * if the ACL did not contain execute rights. + * Samba 4.0 is more correct and checks it. + * The compatibilty mode allows to skip this check + * to smoothen upgrades. + */ + if (lp_acl_allow_execute_always(SNUM(conn))) { + do_not_check_mask |= FILE_EXECUTE; + } + status = se_file_access_check(sd, get_current_nttok(conn), use_privs, - (access_mask & ~FILE_READ_ATTRIBUTES), + (access_mask & ~do_not_check_mask), &rejected_mask); DEBUG(10,("smbd_check_access_rights: file %s requesting " -- cgit