From 3c4af39aa506a25fc6d6753dbe34e4e1c0dd0b43 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 1 Dec 2011 13:40:49 +1100 Subject: s4-ntvfs: added allow_override check based on use of NT ACL This disables the posix permission override if the calculated permissions did not come from a NT ACL. Autobuild-User: Andrew Tridgell Autobuild-Date: Thu Dec 1 05:14:49 CET 2011 on sn-devel-104 --- source4/ntvfs/posix/pvfs_acl.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'source4/ntvfs/posix/pvfs_acl.c') diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 664196ab3e..810dcddbd3 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -643,6 +643,14 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs, /* check the acl against the required access mask */ status = se_access_check(sd, token, *access_mask, access_mask); talloc_free(acl); + + /* if we used a NT acl, then allow access override if the + share allows for posix permission override + */ + if (NT_STATUS_IS_OK(status)) { + name->allow_override = (pvfs->flags & PVFS_FLAG_PERM_OVERRIDE) != 0; + } + done: if (pvfs->ntvfs->ctx->protocol < PROTOCOL_SMB2_02) { /* on SMB, this bit is always granted, even if not @@ -771,7 +779,11 @@ NTSTATUS pvfs_access_check_parent(struct pvfs_state *pvfs, return status; } - return pvfs_access_check_simple(pvfs, req, parent, access_mask); + status = pvfs_access_check_simple(pvfs, req, parent, access_mask); + if (NT_STATUS_IS_OK(status) && parent->allow_override) { + name->allow_override = true; + } + return status; } -- cgit