[SCM] Samba Shared Repository - branch master updated

Tue Jul 26 00:32:01 UTC 2022

The branch, master has been updated
       via  0d4cb5a641e smbd: split out smbd_check_access_rights_fname and call it before SMB_VFS_FGET_NT_ACL
      from  cf6cc948e04 s3:profile: make use of tevent_cached_getpid() in performance critical code

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0d4cb5a641e1fea2d369bdc66470a580321366c2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Jul 13 11:15:39 2022 +0000

    smbd: split out smbd_check_access_rights_fname and call it before SMB_VFS_FGET_NT_ACL
    
    commit 8e3798dd22276bc1ac8e96004d0e5e974240a7b9 actually came with a
    change in behavior..., as SMB_VFS_GET_NT_ACL_AT() (at the time) and
    now SMB_VFS_FGET_NT_ACL() is always called even if it's not needed.
    E.g. access by root.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Tue Jul 26 00:31:29 UTC 2022 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/open.c | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 3a8c0bf9c48..ee61137ab9d 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -95,18 +95,13 @@ static bool parent_override_delete(connection_struct *conn,
  Check if we have open rights.
 ****************************************************************************/
 
-static NTSTATUS smbd_check_access_rights_sd(
+static NTSTATUS smbd_check_access_rights_fname(
 				struct connection_struct *conn,
-				struct files_struct *dirfsp,
 				const struct smb_filename *smb_fname,
-				struct security_descriptor *sd,
 				bool use_privs,
 				uint32_t access_mask)
 {
 	uint32_t rejected_share_access;
-	uint32_t rejected_mask = access_mask;
-	uint32_t do_not_check_mask = 0;
-	NTSTATUS status;
 
 	rejected_share_access = access_mask & ~(conn->share_access);
 
@@ -147,6 +142,21 @@ static NTSTATUS smbd_check_access_rights_sd(
 		return NT_STATUS_OK;
 	}
 
+	return NT_STATUS_MORE_PROCESSING_REQUIRED;
+}
+
+static NTSTATUS smbd_check_access_rights_sd(
+				struct connection_struct *conn,
+				struct files_struct *dirfsp,
+				const struct smb_filename *smb_fname,
+				struct security_descriptor *sd,
+				bool use_privs,
+				uint32_t access_mask)
+{
+	uint32_t rejected_mask = access_mask;
+	uint32_t do_not_check_mask = 0;
+	NTSTATUS status;
+
 	if (sd == NULL) {
 		goto access_denied;
 	}
@@ -278,6 +288,14 @@ NTSTATUS smbd_check_access_rights_fsp(struct files_struct *dirfsp,
 		return NT_STATUS_OK;
 	}
 
+	status = smbd_check_access_rights_fname(fsp->conn,
+						fsp->fsp_name,
+						use_privs,
+						access_mask);
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		return status;
+	}
+
 	status = SMB_VFS_FGET_NT_ACL(fsp,
 				     (SECINFO_OWNER |
 				      SECINFO_GROUP |


-- 
Samba Shared Repository

