[SCM] Samba Shared Repository - branch master updated -
bfc59f63f3c13b1499e658c30b2185c7067c5fca
Jeremy Allison
jra at samba.org
Tue Nov 4 09:35:01 GMT 2008
The branch, master has been updated
via bfc59f63f3c13b1499e658c30b2185c7067c5fca (commit)
from 0953688012dcacca5b28a19c7a2d8393428ca151 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bfc59f63f3c13b1499e658c30b2185c7067c5fca
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 4 01:34:08 2008 -0800
Pass all of RAW-ACLS except for inheritence. Working on that next.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/include/proto.h | 4 ++
source3/modules/vfs_acl_xattr.c | 2 +-
source3/smbd/open.c | 81 ++++++++++++++++++++++++++++++++++++++-
source4/torture/raw/acls.c | 2 +-
4 files changed, 85 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 254c33d..0d4404b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -8040,6 +8040,10 @@ void reply_nttranss(struct smb_request *req);
/* The following definitions come from smbd/open.c */
+NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
+ const NT_USER_TOKEN *token,
+ uint32_t access_desired,
+ uint32_t *access_granted);
NTSTATUS fd_close(files_struct *fsp);
bool map_open_params_to_ntcreate(const char *fname, int deny_mode, int open_func,
uint32 *paccess_mask,
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index c3b27f8..5dfe43e 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -437,7 +437,7 @@ static int open_acl_xattr(vfs_handle_struct *handle,
&pdesc);
if (NT_STATUS_IS_OK(status)) {
/* See if we can access it. */
- status = se_access_check(pdesc,
+ status = smb1_file_se_access_check(pdesc,
handle->conn->server_info->ptok,
fsp->access_mask,
&access_granted);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index b134e8f..480352b 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -30,6 +30,56 @@ struct deferred_open_record {
};
/****************************************************************************
+ SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES.
+****************************************************************************/
+
+NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
+ const NT_USER_TOKEN *token,
+ uint32_t access_desired,
+ uint32_t *access_granted)
+{
+ return se_access_check(sd,
+ token,
+ (access_desired & ~FILE_READ_ATTRIBUTES),
+ access_granted);
+}
+
+/****************************************************************************
+ Check if we have open rights.
+****************************************************************************/
+
+static NTSTATUS check_open_rights(struct connection_struct *conn,
+ const char *fname,
+ uint32_t access_mask)
+{
+ /* Check if we have rights to open. */
+ NTSTATUS status;
+ uint32_t access_granted = 0;
+ struct security_descriptor *sd;
+
+ status = SMB_VFS_GET_NT_ACL(conn, fname,
+ (OWNER_SECURITY_INFORMATION |
+ GROUP_SECURITY_INFORMATION |
+ DACL_SECURITY_INFORMATION),&sd);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("check_open_rights: Could not get acl "
+ "on %s: %s\n",
+ fname,
+ nt_errstr(status)));
+ return status;
+ }
+
+ status = smb1_file_se_access_check(sd,
+ conn->server_info->ptok,
+ access_mask,
+ &access_granted);
+
+ TALLOC_FREE(sd);
+ return status;
+}
+
+/****************************************************************************
fd support routines - attempt to do a dos_open.
****************************************************************************/
@@ -337,6 +387,17 @@ static NTSTATUS open_file(files_struct *fsp,
} else {
fsp->fh->fd = -1; /* What we used to call a stat open. */
+ if (file_existed) {
+ status = check_open_rights(conn,
+ path,
+ access_mask);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("open_file: Access denied on "
+ "file %s\n",
+ path));
+ return status;
+ }
+ }
}
if (!file_existed) {
@@ -1146,6 +1207,7 @@ static NTSTATUS calculate_access_mask(connection_struct *conn,
/* Calculate MAXIMUM_ALLOWED_ACCESS if requested. */
if (access_mask & MAXIMUM_ALLOWED_ACCESS) {
if (file_existed) {
+
struct security_descriptor *sd;
uint32_t access_granted = 0;
@@ -1162,8 +1224,10 @@ static NTSTATUS calculate_access_mask(connection_struct *conn,
return NT_STATUS_ACCESS_DENIED;
}
- status = se_access_check(sd, conn->server_info->ptok,
- access_mask, &access_granted);
+ status = smb1_file_se_access_check(sd,
+ conn->server_info->ptok,
+ access_mask,
+ &access_granted);
TALLOC_FREE(sd);
@@ -2274,6 +2338,19 @@ NTSTATUS open_directory(connection_struct *conn,
return NT_STATUS_NOT_A_DIRECTORY;
}
+ if (info == FILE_WAS_OPENED) {
+ status = check_open_rights(conn,
+ fname,
+ access_mask);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("open_directory: check_open_rights on "
+ "file %s failed with %s\n",
+ fname,
+ nt_errstr(status)));
+ return status;
+ }
+ }
+
status = file_new(req, conn, &fsp);
if(!NT_STATUS_IS_OK(status)) {
return status;
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 2a67bd9..862b96a 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -1088,7 +1088,7 @@ static bool test_owner_bits(struct torture_context *tctx,
{
NTSTATUS status;
union smb_open io;
- const char *fname = BASEDIR "\\generic.txt";
+ const char *fname = BASEDIR "\\test_owner_bits.txt";
bool ret = true;
int fnum = -1, i;
union smb_fileinfo q;
--
Samba Shared Repository
More information about the samba-cvs
mailing list