From e42ded24a085a9bfaae0e4973b8dd52681b51a8a Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 29 May 2008 18:23:20 +1000
Subject: SEC_FILE_READ_ATTRIBUTE is only automatically granted on SMB, not
 SMB2 (This used to be commit 7bff0691428ed3f75c1a9cbaae692bc9830640e6)

---
 source4/ntvfs/posix/pvfs_acl.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'source4/ntvfs/posix/pvfs_acl.c')

diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 507c22f050..089631a307 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -464,7 +464,11 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	*access_mask |= SEC_FILE_READ_ATTRIBUTE;
+	if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
+		/* on SMB, this bit is always granted, even if not
+		   asked for */
+		*access_mask |= SEC_FILE_READ_ATTRIBUTE;
+	}
 
 	return NT_STATUS_OK;
 }
@@ -518,8 +522,11 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs,
 	/* check the acl against the required access mask */
 	status = sec_access_check(sd, token, *access_mask, access_mask);
 
-	/* this bit is always granted, even if not asked for */
-	*access_mask |= SEC_FILE_READ_ATTRIBUTE;
+	if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
+		/* on SMB, this bit is always granted, even if not
+		   asked for */
+		*access_mask |= SEC_FILE_READ_ATTRIBUTE;
+	}
 
 	talloc_free(acl);
 	
-- 
cgit 


From c86dc11be6e626fa81f025d7ec78226fb4249cdc Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 29 May 2008 19:16:26 +1000
Subject: added support for returning the maximal access MXAC tag in SMB2
 create (This used to be commit 4eb49335d5f0319f9aa47ded5215a2977d3336bf)

---
 source4/ntvfs/posix/pvfs_acl.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'source4/ntvfs/posix/pvfs_acl.c')

diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 089631a307..623b1ae5e9 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -807,3 +807,15 @@ NTSTATUS pvfs_acl_inherit(struct pvfs_state *pvfs,
 	
 	return status;
 }
+
+/*
+  return the maximum allowed access mask
+*/
+NTSTATUS pvfs_access_maximal_allowed(struct pvfs_state *pvfs, 
+				     struct ntvfs_request *req,
+				     struct pvfs_filename *name,
+				     uint32_t *maximal_access)
+{
+	*maximal_access = SEC_FLAG_MAXIMUM_ALLOWED;
+	return pvfs_access_check(pvfs, req, name, maximal_access);
+}
-- 
cgit 


From f0bc7c07fe3148adee4ee625fcfc24cd5d4cc034 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 29 May 2008 22:22:42 +1000
Subject: don't mask out SEC_FILE_READ_ATTRIBUTE on SMB2 (This used to be
 commit 1dfa50a48040bdc1166be2dbe1063fd8a79166f8)

---
 source4/ntvfs/posix/pvfs_acl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'source4/ntvfs/posix/pvfs_acl.c')

diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 623b1ae5e9..9a9200e4f0 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -500,7 +500,9 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs,
 
 	/* expand the generic access bits to file specific bits */
 	*access_mask = pvfs_translate_mask(*access_mask);
-	*access_mask &= ~SEC_FILE_READ_ATTRIBUTE;
+	if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
+		*access_mask &= ~SEC_FILE_READ_ATTRIBUTE;
+	}
 
 	status = pvfs_acl_load(pvfs, name, -1, acl);
 	if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
-- 
cgit