svn commit: samba r6123 - in trunk/source/smbd: .
jra at samba.org
jra at samba.org
Wed Mar 30 02:24:41 GMT 2005
Author: jra
Date: 2005-03-30 02:24:40 +0000 (Wed, 30 Mar 2005)
New Revision: 6123
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=6123
Log:
Fix for bug #2242 from Tom Lackemann <cessnatomny at yahoo.com> - don't
set SD on an NTtransact create unless we created the file.
Jeremy.
Modified:
trunk/source/smbd/nttrans.c
Changeset:
Modified: trunk/source/smbd/nttrans.c
===================================================================
--- trunk/source/smbd/nttrans.c 2005-03-30 02:05:22 UTC (rev 6122)
+++ trunk/source/smbd/nttrans.c 2005-03-30 02:24:40 UTC (rev 6123)
@@ -1461,15 +1461,28 @@
}
/*
- * Now try and apply the desired SD.
+ * According to the MS documentation, the only time the security
+ * descriptor is applied to the opened file is iff we *created* the
+ * file; an existing file stays the same.
+ *
+ * Also, it seems (from observation) that you can open the file with
+ * any access mask but you can still write the sd. We need to override
+ * the granted access before we call set_sd
+ * Patch for bug #2242 from Tom Lackemann <cessnatomny at yahoo.com>.
*/
- if (lp_nt_acl_support(SNUM(conn)) && sd_len &&
- !NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) {
- close_file(fsp,False);
- restore_case_semantics(conn, file_attributes);
- return ERROR_NT(status);
- }
+ if (lp_nt_acl_support(SNUM(conn)) && sd_len && smb_action == FILE_WAS_CREATED) {
+ uint32 saved_access = fsp->desired_access;
+
+ fsp->desired_access = FILE_GENERIC_ALL;
+
+ if (!NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) {
+ close_file(fsp,False);
+ restore_case_semantics(conn, file_attributes);
+ return ERROR_NT(status);
+ }
+ fsp->desired_access = saved_access;
+ }
restore_case_semantics(conn, file_attributes);
More information about the samba-cvs
mailing list