[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Thu Oct 20 12:30:01 MDT 2011
The branch, master has been updated
via 30fb5e9 Refactor to create check_parent_access() which can be called for file creation too.
via ff8fa5a Make mkdir_internal() check the parent ACL for SEC_DIR_ADD_SUBDIR rights.
from 3ae478b build: compile (but do not install) all the libsmbclient tests
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 30fb5e99698406fd738cbe98f1a8a6cdca170a64
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 20 10:01:12 2011 -0700
Refactor to create check_parent_access() which can be called for file creation too.
Autobuild-User: Jeremy Allison <jra at samba.org>
Autobuild-Date: Thu Oct 20 20:29:22 CEST 2011 on sn-devel-104
commit ff8fa5aa2b7665cd38bd589870f52ac58f38c66f
Author: Jeremy Allison <jra at samba.org>
Date: Wed Oct 19 16:56:00 2011 -0700
Make mkdir_internal() check the parent ACL for SEC_DIR_ADD_SUBDIR rights.
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/open.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 75 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index a56dd6b..1e21799 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -134,6 +134,63 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
return status;
}
+static NTSTATUS check_parent_access(struct connection_struct *conn,
+ struct smb_filename *smb_fname,
+ uint32_t access_mask,
+ char **pp_parent_dir,
+ struct security_descriptor **pp_parent_sd)
+{
+ NTSTATUS status;
+ char *parent_dir = NULL;
+ struct security_descriptor *parent_sd = NULL;
+ uint32_t access_granted = 0;
+
+ if (!parent_dirname(talloc_tos(),
+ smb_fname->base_name,
+ &parent_dir,
+ NULL)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = SMB_VFS_GET_NT_ACL(conn,
+ parent_dir,
+ SECINFO_DACL,
+ &parent_sd);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5,("check_parent_access: SMB_VFS_GET_NT_ACL failed for "
+ "%s with error %s\n",
+ parent_dir,
+ nt_errstr(status)));
+ return status;
+ }
+
+ status = smb1_file_se_access_check(conn,
+ parent_sd,
+ get_current_nttok(conn),
+ access_mask,
+ &access_granted);
+ if(!NT_STATUS_IS_OK(status)) {
+ DEBUG(5,("check_parent_access: access check "
+ "on directory %s for "
+ "path %s for mask 0x%x returned (0x%x) %s\n",
+ parent_dir,
+ smb_fname->base_name,
+ access_mask,
+ access_granted,
+ nt_errstr(status) ));
+ return status;
+ }
+
+ if (pp_parent_dir) {
+ *pp_parent_dir = parent_dir;
+ }
+ if (pp_parent_sd) {
+ *pp_parent_sd = parent_sd;
+ }
+ return NT_STATUS_OK;
+}
+
/****************************************************************************
fd support routines - attempt to do a dos_open.
****************************************************************************/
@@ -2437,13 +2494,14 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
uint32 file_attributes)
{
mode_t mode;
- char *parent_dir;
+ char *parent_dir = NULL;
NTSTATUS status;
bool posix_open = false;
bool need_re_stat = false;
+ uint32_t access_mask = SEC_DIR_ADD_SUBDIR;
- if(!CAN_WRITE(conn)) {
- DEBUG(5,("mkdir_internal: failing create on read-only share "
+ if(access_mask & ~(conn->share_access)) {
+ DEBUG(5,("mkdir_internal: failing share access "
"%s\n", lp_servicename(SNUM(conn))));
return NT_STATUS_ACCESS_DENIED;
}
@@ -2465,6 +2523,20 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
mode = unix_mode(conn, FILE_ATTRIBUTE_DIRECTORY, smb_dname, parent_dir);
}
+ status = check_parent_access(conn,
+ smb_dname,
+ access_mask,
+ &parent_dir,
+ NULL);
+ if(!NT_STATUS_IS_OK(status)) {
+ DEBUG(5,("mkdir_internal: check_parent_access "
+ "on directory %s for path %s returned %s\n",
+ parent_dir,
+ smb_dname->base_name,
+ nt_errstr(status) ));
+ return status;
+ }
+
if (SMB_VFS_MKDIR(conn, smb_dname->base_name, mode) != 0) {
return map_nt_error_from_unix(errno);
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list