From f347be4c738450e910d8453cef03c273069899a3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 12 Apr 2006 16:27:53 +0000
Subject: r15057: fix access masks for getting and setting security_descriptors

I'll add some torture tests later...

metze
(This used to be commit ce045f4df37b6740f2bf849fd06ab51c682ea0b7)
---
 source4/ntvfs/posix/pvfs_qfileinfo.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'source4/ntvfs/posix/pvfs_qfileinfo.c')

diff --git a/source4/ntvfs/posix/pvfs_qfileinfo.c b/source4/ntvfs/posix/pvfs_qfileinfo.c
index fb1b0aa3f9..e4e69a8289 100644
--- a/source4/ntvfs/posix/pvfs_qfileinfo.c
+++ b/source4/ntvfs/posix/pvfs_qfileinfo.c
@@ -28,11 +28,11 @@
 /*
   determine what access bits are needed for a call
 */
-static uint32_t pvfs_fileinfo_access(enum smb_fileinfo_level level)
+static uint32_t pvfs_fileinfo_access(union smb_fileinfo *info)
 {
 	uint32_t needed;
 
-	switch (level) {
+	switch (info->generic.level) {
 	case RAW_FILEINFO_EA_LIST:
 	case RAW_FILEINFO_ALL_EAS:
 		needed = SEC_FILE_READ_EA;
@@ -43,14 +43,24 @@ static uint32_t pvfs_fileinfo_access(enum smb_fileinfo_level level)
 		break;
 
 	case RAW_FILEINFO_SEC_DESC:
-		needed = SEC_STD_READ_CONTROL;
+		needed = 0;
+		if (info->query_secdesc.in.secinfo_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+			needed |= SEC_STD_READ_CONTROL;
+		}
+		if (info->query_secdesc.in.secinfo_flags & SECINFO_DACL) {
+			needed |= SEC_STD_READ_CONTROL;
+		}
+		if (info->query_secdesc.in.secinfo_flags & SECINFO_SACL) {
+			needed |= SEC_FLAG_SYSTEM_SECURITY;
+		}
 		break;
 
 	default:
 		needed = SEC_FILE_READ_ATTRIBUTE;
 		break;
 	}
-	return needed;	
+
+	return needed;
 }
 
 /*
@@ -304,7 +314,7 @@ NTSTATUS pvfs_qpathinfo(struct ntvfs_module_context *ntvfs,
 	}
 
 	status = pvfs_access_check_simple(pvfs, req, name, 
-					  pvfs_fileinfo_access(info->generic.level));
+					  pvfs_fileinfo_access(info));
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -332,7 +342,7 @@ NTSTATUS pvfs_qfileinfo(struct ntvfs_module_context *ntvfs,
 	}
 	h = f->handle;
 
-	access_needed = pvfs_fileinfo_access(info->generic.level);
+	access_needed = pvfs_fileinfo_access(info);
 	if ((f->access_mask & access_needed) != access_needed) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
-- 
cgit