Bug 10252 - Access Based Enuemration: User can see/list folders/files even when they denied to either read attribute or read extend attribiute permission

[Jeremy Allison]

On Wed, Nov 06, 2013 at 12:20:05PM +0530, Partha Sarathi wrote:
> Hi,
> 
> I just gone through the hide unreadable related code and found that we are
> only checking for FILE_READ_DATA  at user_can_read_file() and I have added
> the rest of the access mask just work similar to windows.
> 
> 
> bash-4.0$ diff -up smbd/dir.c smbd/dir.c.fix
> --- smbd/dir.c  2013-11-05 22:42:44.565464984 -0800
> +++ smbd/dir.c.fix      2013-11-05 22:42:31.751405097 -0800
> @@ -1185,7 +1185,7 @@ static bool user_can_read_file(connectio
>                 return True;
>         }
> 
> -       return can_access_file_acl(conn, smb_fname, FILE_READ_DATA);
> +       return can_access_file_acl(conn, smb_fname, (FILE_READ_DATA |
> FILE_READ_EA | FILE_READ_ATTRIBUTES));
>  }
> 
>  /*******************************************************************
> 
> 
> Note: I have done the unit test and it just works like Windows i.e even if
> the user is just denied for any one of the READ permissions samba hides the
> folder/files with the above changes.

Very cool ! This actually fits in with a bug I've been working
on with David Disseldorp (can't remember the bugid off hand)
where we also need to check the specific open access modes
before returning a getinfo reply for SMB2.

Richard is right that we need more torture tests around this,
then we can get the code into a release.

Could you log a bug please so we can track this ?

Thanks,

Jeremy.