svn commit: samba r4062 - in branches/SAMBA_4_0/source: libcli/security ntvfs/posix

Sat Dec 4 12:42:41 GMT 2004

Author: tridge
Date: 2004-12-04 12:42:40 +0000 (Sat, 04 Dec 2004)
New Revision: 4062

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4062

Log:
the RAW-ACLS test now passes. The SEC_STD_DELETE bit is rather strange
though - I expect we'll need to tweak that some more.





Modified:
   branches/SAMBA_4_0/source/libcli/security/access_check.c
   branches/SAMBA_4_0/source/ntvfs/posix/pvfs_open.c


Changeset:
Modified: branches/SAMBA_4_0/source/libcli/security/access_check.c
===================================================================

--- branches/SAMBA_4_0/source/libcli/security/access_check.c	2004-12-04 10:16:47 UTC (rev 4061)
+++ branches/SAMBA_4_0/source/libcli/security/access_check.c	2004-12-04 12:42:40 UTC (rev 4062)
@@ -49,8 +49,9 @@
 	unsigned i;
 	
 	if (sid_active_in_token(sd->owner_sid, token)) {
-		granted |= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
+		granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
 	}
+	granted |= SEC_STD_DELETE;
 
 	for (i = 0;i<sd->dacl->num_aces; i++) {
 		struct security_ace *ace = &sd->dacl->aces[i];
@@ -84,15 +85,17 @@
 	int i;
 	uint32_t bits_remaining;
 
+	*access_granted = access_desired;
+	bits_remaining = access_desired;
+
 	/* handle the maximum allowed flag */
 	if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
 		access_desired |= access_check_max_allowed(sd, token);
 		access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
+		*access_granted = access_desired;
+		bits_remaining = access_desired & ~SEC_STD_DELETE;
 	}
 
-	*access_granted = access_desired;
-	bits_remaining = access_desired;
-
 #if 0
 	/* this is where we should check for the "system security" privilege, once we 
 	   move to the full security_token and not just the nt_user_token */

Modified: branches/SAMBA_4_0/source/ntvfs/posix/pvfs_open.c
===================================================================
--- branches/SAMBA_4_0/source/ntvfs/posix/pvfs_open.c	2004-12-04 10:16:47 UTC (rev 4061)
+++ branches/SAMBA_4_0/source/ntvfs/posix/pvfs_open.c	2004-12-04 12:42:40 UTC (rev 4062)
@@ -103,6 +103,7 @@
 	int fnum;
 	NTSTATUS status;
 	uint32_t create_action;
+	uint32_t access_mask = io->generic.in.access_mask;
 
 	if (name->stream_name) {
 		return NT_STATUS_NOT_A_DIRECTORY;
@@ -152,6 +153,14 @@
 		return NT_STATUS_TOO_MANY_OPENED_FILES;
 	}
 
+	if (name->exists) {
+		/* check the security descriptor */
+		status = pvfs_access_check(pvfs, req, name, &access_mask);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+	}
+
 	f->fnum          = fnum;
 	f->session       = req->session;
 	f->smbpid        = req->smbpid;
@@ -160,6 +169,7 @@
 	f->lock_count    = 0;
 	f->share_access  = io->generic.in.share_access;
 	f->impersonation = io->generic.in.impersonation;
+	f->access_mask   = access_mask;
 
 	f->handle->pvfs              = pvfs;
 	f->handle->name              = talloc_steal(f->handle, name);

