[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Thu Apr 30 09:12:03 UTC 2020
The branch, master has been updated
via d3be759aeea s3: smbd: Add dirfsp parameter to check_access().
via cc5b49b80a3 s3: smbd: Reformat callers of check_access().
via 3a7fb967e5d s3: smbd: Make check_access() a simple wrapper around smbd_check_access_rights().
via 3fa18f98669 s3: smbd: Reformat spacing for parameters of check_access().
via dc0ea4a1957 s3: smbd: Move the fsp check up one level from check_access().
via d7f4bb57f27 s3: smbd: Cleanup - move the function get_nt_acl_no_snum() to it's user module.
via 152fb23fac4 s3: smbd: Add a dirfsp parameter to directory_has_default_acl().
via 98c8785c581 s3: smbd: Reformat uses of directory_has_default_acl().
via 2243ba78d9d s3: smbd: Change is_visible_file() to take a directory handle not a name.
via 668ef24701b s3: smbd: Reformat calls to is_visible_file() to one arg per line.
via 3373500f7e8 s3: VFS: snapper. Remove snapper_gmt_fget_nt_acl().
via 26e48cb18bc s3: VFS: ceph_snapshots. Remove duplicate definition of get_nt_acl_fn.
via 2ef629fed73 s3: VFS: ceph_snapshots. Remove ceph_snap_gmt_fget_nt_acl().
via 031d665728d s3: VFS: shadow_copy2. SMB_VFS_FGET_NT_ACL() makes no sense in this module.
via 7288e9a445e s3: smbd: In posix_fget_nt_acl() remove the fall-back to path based operations.
from 3be17c891b6 s3 rpc server: set on-wire handle type explicitly
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d3be759aeeaa9885a0f3eca0f1800ee0f4f6c56a
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 29 15:32:21 2020 -0700
s3: smbd: Add dirfsp parameter to check_access().
Not yet used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Apr 30 09:11:56 UTC 2020 on sn-devel-184
commit cc5b49b80a39d8c8b451b46d6db63a3bf858b1c5
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 29 15:28:27 2020 -0700
s3: smbd: Reformat callers of check_access().
Makes it easier to see when we add the dirfsp
parameter.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3a7fb967e5d3fe28d9db06841f1d53064440cf0d
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 29 15:26:08 2020 -0700
s3: smbd: Make check_access() a simple wrapper around smbd_check_access_rights().
Now we call check_access_fsp() separately in the callers we don't need the fsp
parameter anymore.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3fa18f986698d835c73503074ec46861742af583
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 29 15:23:30 2020 -0700
s3: smbd: Reformat spacing for parameters of check_access().
Makes it easier to see the removal of the parameter next.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit dc0ea4a1957966b66512fc1d1340c0bc37d75531
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 29 15:22:31 2020 -0700
s3: smbd: Move the fsp check up one level from check_access().
This allows us to call check_access_fsp() directly when
we have an fsp, and to add in the dirfsp for relative
name access to check_access() in the next commit, making
it clear what it's for (and not confusing it with the
file fsp).
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d7f4bb57f2718aaf191591769a4e93c09968b762
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 29 15:18:57 2020 -0700
s3: smbd: Cleanup - move the function get_nt_acl_no_snum() to it's user module.
Make static. It was only called from one place.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 152fb23fac4431adbf4978298104d14dee100b0d
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 29 15:14:41 2020 -0700
s3: smbd: Add a dirfsp parameter to directory_has_default_acl().
Not yet used, but will make it easier to move to SMB_VFS_GET_NT_ACL_AT()
later.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 98c8785c5810b1dc5820212b98ffa6279ea80cea
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 29 15:11:33 2020 -0700
s3: smbd: Reformat uses of directory_has_default_acl().
Makes it easier to add a dirfsp parameter.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2243ba78d9dc4c3515217001f907be5ed0c1fea3
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 29 14:43:50 2020 -0700
s3: smbd: Change is_visible_file() to take a directory handle not a name.
No change in functionality as the name is
easily retrieved from the directory handle
(it's always the name we opened the directory with)
and this will allow us to use the directory handle
fsp later.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 668ef24701ba9d7992b1e44f8b2b87bc5522fb1a
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 29 14:37:02 2020 -0700
s3: smbd: Reformat calls to is_visible_file() to one arg per line.
Will make it easier to see parameter change in a later commit.
No logic changes.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3373500f7e8816deac32296e0cdbf3fd99ebc720
Author: Jeremy Allison <jra at samba.org>
Date: Tue Apr 14 14:41:09 2020 -0700
s3: VFS: snapper. Remove snapper_gmt_fget_nt_acl().
This fallback was only used for directories. Now we always
have a valid fd for directories it is no longer needed.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 26e48cb18bc3a811756890ae9e7b52150da55513
Author: Jeremy Allison <jra at samba.org>
Date: Tue Apr 14 14:38:22 2020 -0700
s3: VFS: ceph_snapshots. Remove duplicate definition of get_nt_acl_fn.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2ef629fed73f390c4f05c18bb0c7da8405e57b1b
Author: Jeremy Allison <jra at samba.org>
Date: Tue Apr 14 14:37:17 2020 -0700
s3: VFS: ceph_snapshots. Remove ceph_snap_gmt_fget_nt_acl().
This fallback was only used for directories. Now we always
have a valid fd for directories it is no longer needed.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 031d665728d2595bf24f8635256fab1788dbea3b
Author: Jeremy Allison <jra at samba.org>
Date: Tue Apr 14 14:10:35 2020 -0700
s3: VFS: shadow_copy2. SMB_VFS_FGET_NT_ACL() makes no sense in this module.
Once we have an open fsp we know we've gone through the pathname
translation.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7288e9a445e1bed74d6c99bdd3125ebe383bbf49
Author: Jeremy Allison <jra at samba.org>
Date: Tue Apr 14 14:07:23 2020 -0700
s3: smbd: In posix_fget_nt_acl() remove the fall-back to path based operations.
Previously we'd do this for directory opens, but directory opens
now always have an open fd. stat opens don't have permissions
to read a security descriptor anyway.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/modules/vfs_ceph.c | 5 +-
source3/modules/vfs_ceph_snapshots.c | 52 --------------------
source3/modules/vfs_default.c | 5 +-
source3/modules/vfs_shadow_copy2.c | 45 -----------------
source3/modules/vfs_snapper.c | 45 -----------------
source3/rpc_server/eventlog/srv_eventlog_nt.c | 61 +++++++++++++++++++++++
source3/smbd/close.c | 21 +++++---
source3/smbd/dir.c | 19 +++++---
source3/smbd/file_access.c | 3 +-
source3/smbd/open.c | 5 +-
source3/smbd/posix_acls.c | 69 ---------------------------
source3/smbd/proto.h | 17 +++----
source3/smbd/reply.c | 21 +++++---
source3/smbd/trans2.c | 50 ++++++++++++-------
14 files changed, 157 insertions(+), 261 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index 166fdc9feee..ef426a0d64f 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -365,7 +365,10 @@ static int cephwrap_mkdirat(struct vfs_handle_struct *handle,
if (lp_inherit_acls(SNUM(handle->conn))) {
ok = parent_smb_fname(talloc_tos(), smb_fname, &parent, NULL);
- if (ok && directory_has_default_acl(handle->conn, parent)) {
+ if (ok && directory_has_default_acl(handle->conn,
+ dirfsp,
+ parent))
+ {
mode = 0777;
}
}
diff --git a/source3/modules/vfs_ceph_snapshots.c b/source3/modules/vfs_ceph_snapshots.c
index 2b625843187..d2010d8fc52 100644
--- a/source3/modules/vfs_ceph_snapshots.c
+++ b/source3/modules/vfs_ceph_snapshots.c
@@ -1164,56 +1164,6 @@ static struct smb_filename *ceph_snap_gmt_realpath(vfs_handle_struct *handle,
return result_fname;
}
-/*
- * XXX this should have gone through open() conversion, so why do we need
- * a handler here? posix_fget_nt_acl() falls back to posix_get_nt_acl() for
- * dirs (or fd == -1).
- */
-static NTSTATUS ceph_snap_gmt_fget_nt_acl(vfs_handle_struct *handle,
- struct files_struct *fsp,
- uint32_t security_info,
- TALLOC_CTX *mem_ctx,
- struct security_descriptor **ppdesc)
-{
- time_t timestamp = 0;
- char stripped[PATH_MAX + 1];
- char conv[PATH_MAX + 1];
- struct smb_filename *smb_fname;
- int ret;
- NTSTATUS status;
-
- ret = ceph_snap_gmt_strip_snapshot(handle,
- fsp->fsp_name->base_name,
- ×tamp, stripped, sizeof(stripped));
- if (ret < 0) {
- return map_nt_error_from_unix(-ret);
- }
- if (timestamp == 0) {
- return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, security_info,
- mem_ctx,
- ppdesc);
- }
- ret = ceph_snap_gmt_convert(handle, stripped,
- timestamp, conv, sizeof(conv));
- if (ret < 0) {
- return map_nt_error_from_unix(-ret);
- }
-
- smb_fname = synthetic_smb_fname(mem_ctx,
- conv,
- NULL,
- NULL,
- fsp->fsp_name->flags);
- if (smb_fname == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- status = SMB_VFS_NEXT_GET_NT_ACL(handle, smb_fname, security_info,
- mem_ctx, ppdesc);
- TALLOC_FREE(smb_fname);
- return status;
-}
-
static NTSTATUS ceph_snap_gmt_get_nt_acl(vfs_handle_struct *handle,
const struct smb_filename *csmb_fname,
uint32_t security_info,
@@ -1570,8 +1520,6 @@ static struct vfs_fn_pointers ceph_snap_fns = {
.mknodat_fn = ceph_snap_gmt_mknodat,
.realpath_fn = ceph_snap_gmt_realpath,
.get_nt_acl_fn = ceph_snap_gmt_get_nt_acl,
- .fget_nt_acl_fn = ceph_snap_gmt_fget_nt_acl,
- .get_nt_acl_fn = ceph_snap_gmt_get_nt_acl,
.mkdirat_fn = ceph_snap_gmt_mkdirat,
.getxattr_fn = ceph_snap_gmt_getxattr,
.getxattrat_send_fn = vfs_not_implemented_getxattrat_send,
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index a739b17963a..6609cabe2e0 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -637,7 +637,10 @@ static int vfswrap_mkdirat(vfs_handle_struct *handle,
if (lp_inherit_acls(SNUM(handle->conn))) {
ok = parent_smb_fname(talloc_tos(), smb_fname, &parent, NULL);
- if (ok && directory_has_default_acl(handle->conn, parent)) {
+ if (ok && directory_has_default_acl(handle->conn,
+ dirfsp,
+ parent))
+ {
mode = (0777 & lp_directory_mask(SNUM(handle->conn)));
}
}
diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c
index c4881c6d53e..b57720a73c7 100644
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -2155,50 +2155,6 @@ done:
return ret;
}
-static NTSTATUS shadow_copy2_fget_nt_acl(vfs_handle_struct *handle,
- struct files_struct *fsp,
- uint32_t security_info,
- TALLOC_CTX *mem_ctx,
- struct security_descriptor **ppdesc)
-{
- time_t timestamp = 0;
- char *stripped = NULL;
- NTSTATUS status;
- char *conv;
- struct smb_filename *smb_fname = NULL;
-
- if (!shadow_copy2_strip_snapshot(talloc_tos(), handle,
- fsp->fsp_name->base_name,
- ×tamp, &stripped)) {
- return map_nt_error_from_unix(errno);
- }
- if (timestamp == 0) {
- return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, security_info,
- mem_ctx,
- ppdesc);
- }
- conv = shadow_copy2_convert(talloc_tos(), handle, stripped, timestamp);
- TALLOC_FREE(stripped);
- if (conv == NULL) {
- return map_nt_error_from_unix(errno);
- }
- smb_fname = synthetic_smb_fname(talloc_tos(),
- conv,
- NULL,
- NULL,
- fsp->fsp_name->flags);
- if (smb_fname == NULL) {
- TALLOC_FREE(conv);
- return NT_STATUS_NO_MEMORY;
- }
-
- status = SMB_VFS_NEXT_GET_NT_ACL(handle, smb_fname, security_info,
- mem_ctx, ppdesc);
- TALLOC_FREE(conv);
- TALLOC_FREE(smb_fname);
- return status;
-}
-
static NTSTATUS shadow_copy2_get_nt_acl(vfs_handle_struct *handle,
const struct smb_filename *smb_fname,
uint32_t security_info,
@@ -3204,7 +3160,6 @@ static struct vfs_fn_pointers vfs_shadow_copy2_fns = {
.mknodat_fn = shadow_copy2_mknodat,
.realpath_fn = shadow_copy2_realpath,
.get_nt_acl_fn = shadow_copy2_get_nt_acl,
- .fget_nt_acl_fn = shadow_copy2_fget_nt_acl,
.get_shadow_copy_data_fn = shadow_copy2_get_shadow_copy_data,
.mkdirat_fn = shadow_copy2_mkdirat,
.getxattr_fn = shadow_copy2_getxattr,
diff --git a/source3/modules/vfs_snapper.c b/source3/modules/vfs_snapper.c
index 86bcfd85686..5c56f0aa327 100644
--- a/source3/modules/vfs_snapper.c
+++ b/source3/modules/vfs_snapper.c
@@ -2398,50 +2398,6 @@ done:
return result_fname;
}
-static NTSTATUS snapper_gmt_fget_nt_acl(vfs_handle_struct *handle,
- struct files_struct *fsp,
- uint32_t security_info,
- TALLOC_CTX *mem_ctx,
- struct security_descriptor **ppdesc)
-{
- time_t timestamp;
- char *stripped;
- NTSTATUS status;
- char *conv;
- struct smb_filename *smb_fname = NULL;
-
- if (!snapper_gmt_strip_snapshot(talloc_tos(), handle,
- fsp->fsp_name->base_name,
- ×tamp, &stripped)) {
- return map_nt_error_from_unix(errno);
- }
- if (timestamp == 0) {
- return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, security_info,
- mem_ctx,
- ppdesc);
- }
- conv = snapper_gmt_convert(talloc_tos(), handle, stripped, timestamp);
- TALLOC_FREE(stripped);
- if (conv == NULL) {
- return map_nt_error_from_unix(errno);
- }
-
- smb_fname = synthetic_smb_fname(talloc_tos(),
- conv,
- NULL,
- NULL,
- fsp->fsp_name->flags);
- TALLOC_FREE(conv);
- if (smb_fname == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- status = SMB_VFS_NEXT_GET_NT_ACL(handle, smb_fname, security_info,
- mem_ctx, ppdesc);
- TALLOC_FREE(smb_fname);
- return status;
-}
-
static NTSTATUS snapper_gmt_get_nt_acl(vfs_handle_struct *handle,
const struct smb_filename *fname,
uint32_t security_info,
@@ -2850,7 +2806,6 @@ static struct vfs_fn_pointers snapper_fns = {
.mknodat_fn = snapper_gmt_mknodat,
.realpath_fn = snapper_gmt_realpath,
.get_nt_acl_fn = snapper_gmt_get_nt_acl,
- .fget_nt_acl_fn = snapper_gmt_fget_nt_acl,
.mkdirat_fn = snapper_gmt_mkdirat,
.getxattr_fn = snapper_gmt_getxattr,
.getxattrat_send_fn = vfs_not_implemented_getxattrat_send,
diff --git a/source3/rpc_server/eventlog/srv_eventlog_nt.c b/source3/rpc_server/eventlog/srv_eventlog_nt.c
index a444967586b..21477b6a666 100644
--- a/source3/rpc_server/eventlog/srv_eventlog_nt.c
+++ b/source3/rpc_server/eventlog/srv_eventlog_nt.c
@@ -80,6 +80,67 @@ static EVENTLOG_INFO *find_eventlog_info_by_hnd( struct pipes_struct * p,
return info;
}
+/********************************************************************
+ Pull the NT ACL from a file on disk or the OpenEventlog() access
+ check. Caller is responsible for freeing the returned security
+ descriptor via TALLOC_FREE(). This is designed for dealing with
+ user space access checks in smbd outside of the VFS. For example,
+ checking access rights in OpenEventlog() or from python.
+
+********************************************************************/
+
+static NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx,
+ struct auth_session_info *session_info,
+ const char *fname,
+ uint32_t security_info_wanted,
+ struct security_descriptor **sd)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct conn_struct_tos *c = NULL;
+ NTSTATUS status = NT_STATUS_OK;
+ struct smb_filename *smb_fname = synthetic_smb_fname(talloc_tos(),
+ fname,
+ NULL,
+ NULL,
+ 0);
+
+ if (smb_fname == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!posix_locking_init(false)) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = create_conn_struct_tos(global_messaging_context(),
+ -1,
+ "/",
+ session_info,
+ &c);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("create_conn_struct returned %s.\n",
+ nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ status = SMB_VFS_GET_NT_ACL(c->conn,
+ smb_fname,
+ security_info_wanted,
+ ctx,
+ sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("get_nt_acl_no_snum: SMB_VFS_GET_NT_ACL returned %s.\n",
+ nt_errstr(status)));
+ }
+
+ TALLOC_FREE(frame);
+
+ return status;
+}
+
/********************************************************************
********************************************************************/
diff --git a/source3/smbd/close.c b/source3/smbd/close.c
index 8ad8a6b5188..d0988afcec0 100644
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -832,8 +832,11 @@ bool recursive_rmdir(TALLOC_CTX *ctx,
continue;
}
- if (!is_visible_file(conn, smb_dname, dname, &st,
- false)) {
+ if (!is_visible_file(conn,
+ dir_hnd,
+ dname,
+ &st,
+ false)) {
TALLOC_FREE(talloced);
continue;
}
@@ -969,8 +972,11 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp)
TALLOC_FREE(talloced);
continue;
}
- if (!is_visible_file(conn, smb_dname, dname,
- &st, false)) {
+ if (!is_visible_file(conn,
+ dir_hnd,
+ dname,
+ &st,
+ false)) {
TALLOC_FREE(talloced);
continue;
}
@@ -1004,8 +1010,11 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp)
TALLOC_FREE(talloced);
continue;
}
- if (!is_visible_file(conn, smb_dname, dname,
- &st, false)) {
+ if (!is_visible_file(conn,
+ dir_hnd,
+ dname,
+ &st,
+ false)) {
TALLOC_FREE(talloced);
continue;
}
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index 7f5af0e37d3..144f193ffbb 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -408,7 +408,7 @@ static const char *dptr_normal_ReadDirName(struct dptr_struct *dptr,
while ((name = ReadDirName(dptr->dir_hnd, poffset, pst, &talloced))
!= NULL) {
if (is_visible_file(dptr->conn,
- dptr->smb_dname,
+ dptr->dir_hnd,
name,
pst,
true)) {
@@ -466,7 +466,7 @@ static char *dptr_ReadDirName(TALLOC_CTX *ctx,
/* First check if it should be visible. */
if (!is_visible_file(dptr->conn,
- dptr->smb_dname,
+ dptr->dir_hnd,
dptr->wcard,
pst,
true)) {
@@ -1209,16 +1209,17 @@ static bool file_is_special(connection_struct *conn,
********************************************************************/
bool is_visible_file(connection_struct *conn,
- struct smb_filename *dir_path,
- const char *name,
- SMB_STRUCT_STAT *pst,
- bool use_veto)
+ struct smb_Dir *dir_hnd,
+ const char *name,
+ SMB_STRUCT_STAT *pst,
+ bool use_veto)
{
bool hide_unreadable = lp_hide_unreadable(SNUM(conn));
bool hide_unwriteable = lp_hide_unwriteable_files(SNUM(conn));
bool hide_special = lp_hide_special_files(SNUM(conn));
int hide_new_files_timeout = lp_hide_new_files_timeout(SNUM(conn));
char *entry = NULL;
+ struct smb_filename *dir_path = dir_hnd->fsp->fsp_name;
struct smb_filename *smb_fname_base = NULL;
bool ret = false;
@@ -1760,7 +1761,11 @@ NTSTATUS can_delete_directory_fsp(files_struct *fsp)
}
}
- if (!is_visible_file(conn, fsp->fsp_name, dname, &st, True)) {
+ if (!is_visible_file(conn,
+ dir_hnd,
+ dname,
+ &st,
+ True)) {
TALLOC_FREE(talloced);
continue;
}
diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c
index 4884301fd4b..42936478f92 100644
--- a/source3/smbd/file_access.c
+++ b/source3/smbd/file_access.c
@@ -141,7 +141,8 @@ bool can_write_to_file(connection_struct *conn,
****************************************************************************/
bool directory_has_default_acl(connection_struct *conn,
- struct smb_filename *smb_fname)
+ struct files_struct *dirfsp,
+ struct smb_filename *smb_fname)
{
struct security_descriptor *secdesc = NULL;
unsigned int i;
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index ef20b44ea15..aa86cef944a 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3592,7 +3592,10 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
*/
if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) &&
- (def_acl = directory_has_default_acl(conn, parent_dir_fname))) {
+ (def_acl = directory_has_default_acl(conn,
+ conn->cwd_fsp,
+ parent_dir_fname)))
+ {
unx_mode = (0777 & lp_create_mask(SNUM(conn)));
}
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 97caa47dde9..6fbec943b0e 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3489,14 +3489,6 @@ NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
DEBUG(10,("posix_fget_nt_acl: called for file %s\n",
fsp_str_dbg(fsp)));
- /* can it happen that fsp_name == NULL ? */
- if (fsp->fsp_flags.is_directory || fsp->fh->fd == -1) {
- status = posix_get_nt_acl(fsp->conn, fsp->fsp_name,
- security_info, mem_ctx, ppdesc);
- TALLOC_FREE(frame);
- return status;
- }
-
/* Get the stat struct for the owner info. */
if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
TALLOC_FREE(frame);
@@ -4635,67 +4627,6 @@ NTSTATUS set_unix_posix_acl(connection_struct *conn,
return NT_STATUS_OK;
}
-/********************************************************************
- Pull the NT ACL from a file on disk or the OpenEventlog() access
- check. Caller is responsible for freeing the returned security
- descriptor via TALLOC_FREE(). This is designed for dealing with
- user space access checks in smbd outside of the VFS. For example,
- checking access rights in OpenEventlog() or from python.
-
-********************************************************************/
-
-NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx,
- struct auth_session_info *session_info,
- const char *fname,
- uint32_t security_info_wanted,
- struct security_descriptor **sd)
-{
- TALLOC_CTX *frame = talloc_stackframe();
- struct conn_struct_tos *c = NULL;
- NTSTATUS status = NT_STATUS_OK;
- struct smb_filename *smb_fname = synthetic_smb_fname(talloc_tos(),
- fname,
- NULL,
- NULL,
- 0);
-
- if (smb_fname == NULL) {
- TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!posix_locking_init(false)) {
- TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
- status = create_conn_struct_tos(global_messaging_context(),
- -1,
- "/",
- session_info,
- &c);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("create_conn_struct returned %s.\n",
- nt_errstr(status)));
- TALLOC_FREE(frame);
- return status;
--
Samba Shared Repository
More information about the samba-cvs
mailing list