[PATCH] Dynamic share permission change detection.

Volker Lendecke Volker.Lendecke at SerNet.DE
Mon Nov 30 05:05:23 MST 2009 

On Mon, Nov 30, 2009 at 07:56:46PM +0800, boyang wrote:
> --- a/source3/smbd/open.c
> +++ b/source3/smbd/open.c
> @@ -1470,9 +1470,26 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
>  	uint32 open_access_mask = access_mask;
>  	NTSTATUS status;
>  	char *parent_dir;
> +	uint16 session_tag;
>  
>  	ZERO_STRUCT(id);
>  
> +	/* 
> +	 * Check share access control in each open, what is 
> +	 * windows does. We must not use vuid cache to perform 
> +	 * checks here. And we will update vuid cache here.
> +	 */
> +	session_tag = (lp_security() == SEC_SHARE) ?
> +			UID_FIELD_INVALID : req->vuid;
> +	
> +	become_root();
> +	if (!check_share_perm_without_cache(conn, session_tag)) {
> +		DEBUG(4, ("open_file_ntcreate: cannot access share!\n"));
> +		unbecome_root();
> +		return NT_STATUS_ACCESS_DENIED;
> +	}
> +	unbecome_root();

Quick comment: We can't do a become_root() on every open.
This is too expensive. We need to attach something like a
security descriptor to the connection_struct to do the
se_access_check in the open call.

> --- a/source3/smbd/process.c
> +++ b/source3/smbd/process.c
> @@ -1340,6 +1340,24 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
>  			return NULL;
>  		}
>  
> +		/* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
> +
> +		/* 
> +		 * Does it need write permission? Do a share permission check
> +		 * without cache to update connection struct
> +		 */
> +		if (flags & NEED_WRITE) {
> +			if (!check_share_perm_without_cache(conn, session_tag)) {
> +				DEBUG(4, ("Error: cannot access share!\n"));
> +				reply_nterror(req, NT_STATUS_ACCESS_DENIED);
> +				return conn;
> +			}
> +			if (!CAN_WRITE(conn)) {
> +				reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
> +				return conn;
> +			}
> +		}
> +

Same here. We can't do this in the central event loop.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091130/b0554954/attachment.pgp>

More information about the samba-technical mailing list