svn commit: samba r6124 - in branches/SAMBA_3_0/source/smbd: .

[jra at samba.org]

Author: jra
Date: 2005-03-30 02:24:47 +0000 (Wed, 30 Mar 2005)
New Revision: 6124

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=6124

Log:
Fix for bug #2242 from Tom Lackemann <cessnatomny at yahoo.com> - don't
set SD on an NTtransact create unless we created the file.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/smbd/nttrans.c


Changeset:
Modified: branches/SAMBA_3_0/source/smbd/nttrans.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/nttrans.c	2005-03-30 02:24:40 UTC (rev 6123)
+++ branches/SAMBA_3_0/source/smbd/nttrans.c	2005-03-30 02:24:47 UTC (rev 6124)
@@ -1461,15 +1461,28 @@
 	}
 
 	/*
-	 * Now try and apply the desired SD.
+	 * According to the MS documentation, the only time the security
+	 * descriptor is applied to the opened file is iff we *created* the
+	 * file; an existing file stays the same.
+	 * 
+	 * Also, it seems (from observation) that you can open the file with
+	 * any access mask but you can still write the sd. We need to override
+	 * the granted access before we call set_sd
+	 * Patch for bug #2242 from Tom Lackemann <cessnatomny at yahoo.com>.
 	 */
 
-	if (lp_nt_acl_support(SNUM(conn)) && sd_len &&
-			!NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) {
-		close_file(fsp,False);
-		restore_case_semantics(conn, file_attributes);
-		return ERROR_NT(status);
-	}
+	if (lp_nt_acl_support(SNUM(conn)) && sd_len && smb_action == FILE_WAS_CREATED) {
+		uint32 saved_access = fsp->desired_access;
+
+		fsp->desired_access = FILE_GENERIC_ALL;
+
+		if (!NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) {
+			close_file(fsp,False);
+			restore_case_semantics(conn, file_attributes);
+			return ERROR_NT(status);
+		}
+		fsp->desired_access = saved_access;
+ 	}
 	
 	restore_case_semantics(conn, file_attributes);