From 34d4e883146bccda53422fa50a35ab25ca880d2e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 17 Mar 2014 14:35:00 -0700 Subject: [PATCH] s3: smbd: Fileserving share access checks. Git commit 86d1e1db8e2747e30c89627cda123fde1e84f579 fixed share_access not being reset between users, by changing make_connection_snum() to call a common function check_user_share_access() in the same way that change_to_user() (which can be called on any incoming packet) does. Unfortunately that bugfix was incorrect and broke "force user" and "force group" as it called check_user_share_access() inside make_connection_snum() using the conn->session_info pointer instead of the vuser->session_info pointer. conn->session_info represents the token to use when actually accessing the file system, and so is modified by force user and force group. conn->session_info represents the "pristine" token of the user logging in, and is never modified by force user and force group. Samba 3.6.x checked the share access based on the "pristine" token of the user logging in, not the token modified by force user and force group. This change restores the expected behavior. Fixes bug #9878 - force user does not work as expected https://bugzilla.samba.org/show_bug.cgi?id=9878 Signed-off-by: Jeremy Allison --- source3/smbd/service.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/source3/smbd/service.c b/source3/smbd/service.c index a7464f0..7d06551 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -614,11 +614,19 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn, } /* - * Set up the share security descriptor + * Set up the share security descriptor. + * NOTE - we use the *INCOMING USER* session_info + * here, as does (indirectly) change_to_user(), + * which can be called on any incoming packet. + * This way we set up the share access based + * on the authenticated user, not the forced + * user. See bug: + * + * https://bugzilla.samba.org/show_bug.cgi?id=9878 */ status = check_user_share_access(conn, - conn->session_info, + vuser->session_info, &conn->share_access, &conn->read_only); if (!NT_STATUS_IS_OK(status)) { -- 1.9.0.279.gdc9e3eb