From a2aa13da3272b62b8d47d624a0d7fc65825adf6e Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 18 Oct 2009 10:32:06 +1100 Subject: s4-pvfs: more fixes for ACLs on file creation The passed in SD is not used to limit the access mask allowed on file create. --- source4/ntvfs/posix/pvfs_acl.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) (limited to 'source4/ntvfs') diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 842aced6f2..5931a38f2e 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -659,14 +659,10 @@ NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs, } status = pvfs_resolve_parent(pvfs, req, name, &parent); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + NT_STATUS_NOT_OK_RETURN(status); status = pvfs_access_check_simple(pvfs, req, parent, SEC_DIR_ADD_FILE); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + NT_STATUS_NOT_OK_RETURN(status); if (*sd == NULL) { status = pvfs_acl_inherited_sd(pvfs, req, req, parent, container, sd); @@ -679,14 +675,19 @@ NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs, /* expand the generic access bits to file specific bits */ *access_mask = pvfs_translate_mask(*access_mask); - if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) { - *access_mask &= ~SEC_FILE_READ_ATTRIBUTE; + + if (*access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { + *access_mask |= SEC_RIGHTS_FILE_ALL; + *access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED; } - if (*sd == NULL) { - return pvfs_access_check_unix(pvfs, req, NULL, access_mask); + if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) { + /* on SMB, this bit is always granted, even if not + asked for */ + *access_mask |= SEC_FILE_READ_ATTRIBUTE; } - return sec_access_check(*sd, token, *access_mask, access_mask); + + return NT_STATUS_OK; } /* -- cgit