[SCM] Samba Shared Repository - branch master updated - 6a37302b55dbf0bbb88247214b444a87e23e687a

Jeremy Allison jra at samba.org
Tue Nov 4 07:19:50 GMT 2008 

The branch, master has been updated
       via  6a37302b55dbf0bbb88247214b444a87e23e687a (commit)
      from  4f8fac1b8e1d185f732c32f20e3b7060e3835435 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 6a37302b55dbf0bbb88247214b444a87e23e687a
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Nov 3 23:18:43 2008 -0800

    Pass the directory versions of the RAW-ACL (still not inheritance). Refactor some common code between open_file_ntcreate() and open_directory().
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/open.c |  126 +++++++++++++++++++++++++++++++++-----------------
 1 files changed, 83 insertions(+), 43 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index dde1d0d..b134e8f 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1126,6 +1126,65 @@ static void schedule_defer_open(struct share_mode_lock *lck,
 }
 
 /****************************************************************************
+ Work out what access_mask to use from what the client sent us.
+****************************************************************************/
+
+static NTSTATUS calculate_access_mask(connection_struct *conn,
+					const char *fname,
+					bool file_existed,
+					uint32_t access_mask,
+					uint32_t *access_mask_out)
+{
+	NTSTATUS status;
+
+	/*
+	 * Convert GENERIC bits to specific bits.
+	 */
+
+	se_map_generic(&access_mask, &file_generic_mapping);
+
+	/* Calculate MAXIMUM_ALLOWED_ACCESS if requested. */
+	if (access_mask & MAXIMUM_ALLOWED_ACCESS) {
+		if (file_existed) {
+			struct security_descriptor *sd;
+			uint32_t access_granted = 0;
+
+			status = SMB_VFS_GET_NT_ACL(conn, fname,
+					(OWNER_SECURITY_INFORMATION |
+					GROUP_SECURITY_INFORMATION |
+					DACL_SECURITY_INFORMATION),&sd);
+
+			if (!NT_STATUS_IS_OK(status)) {
+				DEBUG(10, ("calculate_access_mask: Could not get acl "
+					"on file %s: %s\n",
+					fname,
+					nt_errstr(status)));
+				return NT_STATUS_ACCESS_DENIED;
+			}
+
+			status = se_access_check(sd, conn->server_info->ptok,
+					access_mask, &access_granted);
+
+			TALLOC_FREE(sd);
+
+			if (!NT_STATUS_IS_OK(status)) {
+				DEBUG(10, ("calculate_access_mask: Access denied on "
+					"file %s: when calculating maximum access\n",
+					fname));
+				return NT_STATUS_ACCESS_DENIED;
+			}
+
+			access_mask = access_granted;
+		} else {
+			access_mask = FILE_GENERIC_ALL;
+		}
+	}
+
+	*access_mask_out = access_mask;
+	return NT_STATUS_OK;
+}
+
+/****************************************************************************
  Open a file with a share mode.
 ****************************************************************************/
 
@@ -1361,47 +1420,15 @@ NTSTATUS open_file_ntcreate(connection_struct *conn,
 		}
 	}
 
-	/*
-	 * Convert GENERIC bits to specific bits.
-	 */
-
-	se_map_generic(&access_mask, &file_generic_mapping);
-
-	/* Calculate MAXIMUM_ALLOWED_ACCESS if requested. */
-	if (access_mask & MAXIMUM_ALLOWED_ACCESS) {
-		if (file_existed) {
-			struct security_descriptor *sd;
-			uint32_t access_granted = 0;
-
-			status = SMB_VFS_GET_NT_ACL(conn, fname,
-					(OWNER_SECURITY_INFORMATION |
-					GROUP_SECURITY_INFORMATION |
-					DACL_SECURITY_INFORMATION),&sd);
-
-			if (!NT_STATUS_IS_OK(status)) {
-				DEBUG(10, ("open_file_ntcreate: Could not get acl "
-					"on file %s: %s\n",
-					fname,
-					nt_errstr(status)));
-				return NT_STATUS_ACCESS_DENIED;
-			}
-
-			status = se_access_check(sd, conn->server_info->ptok,
-					access_mask, &access_granted);
-
-			TALLOC_FREE(sd);
-
-			if (!NT_STATUS_IS_OK(status)) {
-				DEBUG(10, ("open_file_ntcreate: Access denied on "
-					"file %s: when calculating maximum access\n",
-					fname));
-				return NT_STATUS_ACCESS_DENIED;
-			}
-
-			access_mask = access_granted;
-		} else {
-			access_mask = FILE_GENERIC_ALL;
-		}
+	status = calculate_access_mask(conn, fname, file_existed,
+					access_mask,
+					&access_mask); 
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("open_file_ntcreate: calculate_access_mask "
+			"on file %s returned %s\n",
+			fname,
+			nt_errstr(status)));
+		return status;
 	}
 
 	open_access_mask = access_mask;
@@ -2162,6 +2189,17 @@ NTSTATUS open_directory(connection_struct *conn,
 		return NT_STATUS_NOT_A_DIRECTORY;
 	}
 
+	status = calculate_access_mask(conn, fname, dir_existed,
+					access_mask,
+					&access_mask); 
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("open_directory: calculate_access_mask "
+			"on file %s returned %s\n",
+			fname,
+			nt_errstr(status)));
+		return status;
+	}
+
 	switch( create_disposition ) {
 		case FILE_OPEN:
 
@@ -2255,8 +2293,10 @@ NTSTATUS open_directory(connection_struct *conn,
 
 	fsp->share_access = share_access;
 	fsp->fh->private_options = create_options;
-	fsp->access_mask = access_mask;
-
+	/*
+	 * According to Samba4, SEC_FILE_READ_ATTRIBUTE is always granted,
+	 */
+	fsp->access_mask = access_mask | FILE_READ_ATTRIBUTES;
 	fsp->print_file = False;
 	fsp->modified = False;
 	fsp->oplock_type = NO_OPLOCK;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list