From 3feb4423f3ec35dd3dfa2c358797a4f6a86b2fb5 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 9 Jan 2005 08:27:35 +0000 Subject: r4615: added acl checking on directory search in pvfs (This used to be commit 0e61a422bd9a1596a284c176f033e958bbeaa8ce) --- source4/ntvfs/posix/pvfs_acl.c | 9 +++++---- source4/ntvfs/posix/pvfs_mkdir.c | 4 ++-- source4/ntvfs/posix/pvfs_rename.c | 10 +++++----- source4/ntvfs/posix/pvfs_search.c | 11 +++++++++++ source4/ntvfs/posix/pvfs_setfileinfo.c | 2 +- 5 files changed, 24 insertions(+), 12 deletions(-) (limited to 'source4/ntvfs/posix') diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 590c9c18b5..e38f2c9ecb 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -452,9 +452,10 @@ NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs, /* access check for creating a new file/directory - no access mask supplied */ -NTSTATUS pvfs_access_check_create_nomask(struct pvfs_state *pvfs, - struct smbsrv_request *req, - struct pvfs_filename *name) +NTSTATUS pvfs_access_check_parent(struct pvfs_state *pvfs, + struct smbsrv_request *req, + struct pvfs_filename *name, + uint32_t access_mask) { struct pvfs_filename *parent; NTSTATUS status; @@ -464,7 +465,7 @@ NTSTATUS pvfs_access_check_create_nomask(struct pvfs_state *pvfs, return status; } - return pvfs_access_check_simple(pvfs, req, parent, SEC_DIR_ADD_FILE); + return pvfs_access_check_simple(pvfs, req, parent, access_mask); } diff --git a/source4/ntvfs/posix/pvfs_mkdir.c b/source4/ntvfs/posix/pvfs_mkdir.c index 42b5109673..03bc16cdbe 100644 --- a/source4/ntvfs/posix/pvfs_mkdir.c +++ b/source4/ntvfs/posix/pvfs_mkdir.c @@ -44,7 +44,7 @@ static NTSTATUS pvfs_t2mkdir(struct pvfs_state *pvfs, return NT_STATUS_OBJECT_NAME_COLLISION; } - status = pvfs_access_check_create_nomask(pvfs, req, name); + status = pvfs_access_check_parent(pvfs, req, name, SEC_DIR_ADD_FILE); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -114,7 +114,7 @@ NTSTATUS pvfs_mkdir(struct ntvfs_module_context *ntvfs, return NT_STATUS_OBJECT_NAME_COLLISION; } - status = pvfs_access_check_create_nomask(pvfs, req, name); + status = pvfs_access_check_parent(pvfs, req, name, SEC_DIR_ADD_FILE); if (!NT_STATUS_IS_OK(status)) { return status; } diff --git a/source4/ntvfs/posix/pvfs_rename.c b/source4/ntvfs/posix/pvfs_rename.c index 91ad9aa3d9..b70f129888 100644 --- a/source4/ntvfs/posix/pvfs_rename.c +++ b/source4/ntvfs/posix/pvfs_rename.c @@ -22,7 +22,7 @@ #include "includes.h" #include "vfs_posix.h" - +#include "librpc/gen_ndr/ndr_security.h" /* resolve a wildcard rename pattern. This works on one component of the name @@ -281,7 +281,7 @@ static NTSTATUS pvfs_rename_mv(struct ntvfs_module_context *ntvfs, return status; } - status = pvfs_access_check_create_nomask(pvfs, req, name2); + status = pvfs_access_check_parent(pvfs, req, name2, SEC_DIR_ADD_FILE); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -360,7 +360,7 @@ static NTSTATUS pvfs_rename_nt(struct ntvfs_module_context *ntvfs, switch (ren->ntrename.in.flags) { case RENAME_FLAG_RENAME: - status = pvfs_access_check_create_nomask(pvfs, req, name2); + status = pvfs_access_check_parent(pvfs, req, name2, SEC_DIR_ADD_FILE); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -370,7 +370,7 @@ static NTSTATUS pvfs_rename_nt(struct ntvfs_module_context *ntvfs, break; case RENAME_FLAG_HARD_LINK: - status = pvfs_access_check_create_nomask(pvfs, req, name2); + status = pvfs_access_check_parent(pvfs, req, name2, SEC_DIR_ADD_FILE); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -380,7 +380,7 @@ static NTSTATUS pvfs_rename_nt(struct ntvfs_module_context *ntvfs, break; case RENAME_FLAG_COPY: - status = pvfs_access_check_create_nomask(pvfs, req, name2); + status = pvfs_access_check_parent(pvfs, req, name2, SEC_DIR_ADD_FILE); if (!NT_STATUS_IS_OK(status)) { return status; } diff --git a/source4/ntvfs/posix/pvfs_search.c b/source4/ntvfs/posix/pvfs_search.c index 34f5f2208e..2106758784 100644 --- a/source4/ntvfs/posix/pvfs_search.c +++ b/source4/ntvfs/posix/pvfs_search.c @@ -24,6 +24,7 @@ #include "vfs_posix.h" #include "system/time.h" #include "system/filesys.h" +#include "librpc/gen_ndr/ndr_security.h" /* the state of a search started with pvfs_search_first() */ @@ -325,6 +326,11 @@ static NTSTATUS pvfs_search_first_old(struct ntvfs_module_context *ntvfs, return STATUS_NO_MORE_FILES; } + status = pvfs_access_check_parent(pvfs, req, name, SEC_DIR_TRAVERSE | SEC_DIR_LIST); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + /* we initially make search a child of the request, then if we need to keep it long term we steal it for the private structure */ @@ -461,6 +467,11 @@ NTSTATUS pvfs_search_first(struct ntvfs_module_context *ntvfs, return NT_STATUS_NO_SUCH_FILE; } + status = pvfs_access_check_parent(pvfs, req, name, SEC_DIR_TRAVERSE | SEC_DIR_LIST); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + /* we initially make search a child of the request, then if we need to keep it long term we steal it for the private structure */ diff --git a/source4/ntvfs/posix/pvfs_setfileinfo.c b/source4/ntvfs/posix/pvfs_setfileinfo.c index 8c4d016ccc..9934388461 100644 --- a/source4/ntvfs/posix/pvfs_setfileinfo.c +++ b/source4/ntvfs/posix/pvfs_setfileinfo.c @@ -139,7 +139,7 @@ static NTSTATUS pvfs_setfileinfo_rename(struct pvfs_state *pvfs, } } - status = pvfs_access_check_create_nomask(pvfs, req, name2); + status = pvfs_access_check_parent(pvfs, req, name2, SEC_DIR_ADD_FILE); if (!NT_STATUS_IS_OK(status)) { return status; } -- cgit