From 9c53e146020c16e2a26e24fb327d69ed8da14c8e Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Sat, 16 Sep 2006 15:31:53 +0000
Subject: r18580: map the PVFS_FLAG_READONLY bit in the posix backend onto
 NT_STATUS_ACCESS_DENIED in the access mask checks (This used to be commit
 ceffc34f3e9f47a8a44dad52054688f9855eeb37)

---
 source4/ntvfs/posix/pvfs_acl.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'source4/ntvfs')

diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 3d276431dc..1dd40c0e06 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -349,6 +349,13 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
 	uid_t uid = geteuid();
 	uint32_t max_bits = SEC_RIGHTS_FILE_READ | SEC_FILE_ALL;
 
+	if ((pvfs->flags & PVFS_FLAG_READONLY) &&
+	    ((*access_mask) & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA | 
+			       SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE | 
+			       SEC_DIR_DELETE_CHILD))) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	/* owner and root get extra permissions */
 	if (uid == 0) {
 		max_bits |= SEC_STD_ALL | SEC_FLAG_SYSTEM_SECURITY;
@@ -390,6 +397,13 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs,
 	NTSTATUS status;
 	struct security_descriptor *sd;
 
+	if ((pvfs->flags & PVFS_FLAG_READONLY) &&
+	    ((*access_mask) & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA | 
+			       SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE | 
+			       SEC_DIR_DELETE_CHILD))) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	acl = talloc(req, struct xattr_NTACL);
 	if (acl == NULL) {
 		return NT_STATUS_NO_MEMORY;
-- 
cgit