[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Thu Oct 20 12:30:01 MDT 2011


The branch, master has been updated
       via  30fb5e9 Refactor to create check_parent_access() which can be called for file creation too.
       via  ff8fa5a Make mkdir_internal() check the parent ACL for SEC_DIR_ADD_SUBDIR rights.
      from  3ae478b build: compile (but do not install) all the libsmbclient tests

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 30fb5e99698406fd738cbe98f1a8a6cdca170a64
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Oct 20 10:01:12 2011 -0700

    Refactor to create check_parent_access() which can be called for file creation too.
    
    Autobuild-User: Jeremy Allison <jra at samba.org>
    Autobuild-Date: Thu Oct 20 20:29:22 CEST 2011 on sn-devel-104

commit ff8fa5aa2b7665cd38bd589870f52ac58f38c66f
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Oct 19 16:56:00 2011 -0700

    Make mkdir_internal() check the parent ACL for SEC_DIR_ADD_SUBDIR rights.

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/open.c |   78 +++++++++++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 75 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index a56dd6b..1e21799 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -134,6 +134,63 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
 	return status;
 }
 
+static NTSTATUS check_parent_access(struct connection_struct *conn,
+				struct smb_filename *smb_fname,
+				uint32_t access_mask,
+				char **pp_parent_dir,
+				struct security_descriptor **pp_parent_sd)
+{
+	NTSTATUS status;
+	char *parent_dir = NULL;
+	struct security_descriptor *parent_sd = NULL;
+	uint32_t access_granted = 0;
+
+	if (!parent_dirname(talloc_tos(),
+				smb_fname->base_name,
+				&parent_dir,
+				NULL)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = SMB_VFS_GET_NT_ACL(conn,
+				parent_dir,
+				SECINFO_DACL,
+				&parent_sd);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(5,("check_parent_access: SMB_VFS_GET_NT_ACL failed for "
+			"%s with error %s\n",
+			parent_dir,
+			nt_errstr(status)));
+		return status;
+	}
+
+	status = smb1_file_se_access_check(conn,
+					parent_sd,
+					get_current_nttok(conn),
+					access_mask,
+					&access_granted);
+	if(!NT_STATUS_IS_OK(status)) {
+		DEBUG(5,("check_parent_access: access check "
+			"on directory %s for "
+			"path %s for mask 0x%x returned (0x%x) %s\n",
+			parent_dir,
+			smb_fname->base_name,
+			access_mask,
+			access_granted,
+			nt_errstr(status) ));
+		return status;
+	}
+
+	if (pp_parent_dir) {
+		*pp_parent_dir = parent_dir;
+	}
+	if (pp_parent_sd) {
+		*pp_parent_sd = parent_sd;
+	}
+	return NT_STATUS_OK;
+}
+
 /****************************************************************************
  fd support routines - attempt to do a dos_open.
 ****************************************************************************/
@@ -2437,13 +2494,14 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
 			       uint32 file_attributes)
 {
 	mode_t mode;
-	char *parent_dir;
+	char *parent_dir = NULL;
 	NTSTATUS status;
 	bool posix_open = false;
 	bool need_re_stat = false;
+	uint32_t access_mask = SEC_DIR_ADD_SUBDIR;
 
-	if(!CAN_WRITE(conn)) {
-		DEBUG(5,("mkdir_internal: failing create on read-only share "
+	if(access_mask & ~(conn->share_access)) {
+		DEBUG(5,("mkdir_internal: failing share access "
 			 "%s\n", lp_servicename(SNUM(conn))));
 		return NT_STATUS_ACCESS_DENIED;
 	}
@@ -2465,6 +2523,20 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
 		mode = unix_mode(conn, FILE_ATTRIBUTE_DIRECTORY, smb_dname, parent_dir);
 	}
 
+	status = check_parent_access(conn,
+					smb_dname,
+					access_mask,
+					&parent_dir,
+					NULL);
+	if(!NT_STATUS_IS_OK(status)) {
+		DEBUG(5,("mkdir_internal: check_parent_access "
+			"on directory %s for path %s returned %s\n",
+			parent_dir,
+			smb_dname->base_name,
+			nt_errstr(status) ));
+		return status;
+	}
+
 	if (SMB_VFS_MKDIR(conn, smb_dname->base_name, mode) != 0) {
 		return map_nt_error_from_unix(errno);
 	}


-- 
Samba Shared Repository


More information about the samba-cvs mailing list