[PATCH] Dynamic share permission change detection.

boyang boyang at samba.org
Mon Nov 30 05:54:42 MST 2009 

Volker Lendecke wrote:
> On Mon, Nov 30, 2009 at 07:56:46PM +0800, boyang wrote:
>   
>> --- a/source3/smbd/open.c
>> +++ b/source3/smbd/open.c
>> @@ -1470,9 +1470,26 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
>>  	uint32 open_access_mask = access_mask;
>>  	NTSTATUS status;
>>  	char *parent_dir;
>> +	uint16 session_tag;
>>  
>>  	ZERO_STRUCT(id);
>>  
>> +	/* 
>> +	 * Check share access control in each open, what is 
>> +	 * windows does. We must not use vuid cache to perform 
>> +	 * checks here. And we will update vuid cache here.
>> +	 */
>> +	session_tag = (lp_security() == SEC_SHARE) ?
>> +			UID_FIELD_INVALID : req->vuid;
>> +	
>> +	become_root();
>> +	if (!check_share_perm_without_cache(conn, session_tag)) {
>> +		DEBUG(4, ("open_file_ntcreate: cannot access share!\n"));
>> +		unbecome_root();
>> +		return NT_STATUS_ACCESS_DENIED;
>> +	}
>> +	unbecome_root();
>>     
>
> Quick comment: We can't do a become_root() on every open.
> This is too expensive. We need to attach something like a
> security descriptor to the connection_struct to do the
> se_access_check in the open call.
>   
The problem here is that security descriptor alone cannot decide whether
the user has right to access or not..
lp_valid_users() and lp_xxx_users() affects access control.

User shares have no such list, so I think a security descriptor can work
for user shares. But for normal shares, we can not ignore lp_xx_users()
lists, unless we don't want it work. :-)

Should we ignore normal share's lp_xx_users() list at present?
>   
>> --- a/source3/smbd/process.c
>> +++ b/source3/smbd/process.c
>> @@ -1340,6 +1340,24 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
>>  			return NULL;
>>  		}
>>  
>> +		/* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
>> +
>> +		/* 
>> +		 * Does it need write permission? Do a share permission check
>> +		 * without cache to update connection struct
>> +		 */
>> +		if (flags & NEED_WRITE) {
>> +			if (!check_share_perm_without_cache(conn, session_tag)) {
>> +				DEBUG(4, ("Error: cannot access share!\n"));
>> +				reply_nterror(req, NT_STATUS_ACCESS_DENIED);
>> +				return conn;
>> +			}
>> +			if (!CAN_WRITE(conn)) {
>> +				reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
>> +				return conn;
>> +			}
>> +		}
>> +
>>     
>
> Same here. We can't do this in the central event loop.
>   
Do you mean we cannot become_root()? or we cannot do checks here?
The commands with NEED_WRITE flag have to e aware of share permission,
which is the case in windows. I think you mean we cannot become_root() here?
> Volker
>   


-- 
Bo Yang, Software Engineer, Suse Labs
GPG-key-ID   538C4C1A
Samba Team   boyang at samba.org    http://www.samba.org/
SUSE Linux   boyang at suse.de      http://www.novell.com/

More information about the samba-technical mailing list