[PATCH] Follow-up patch for bug in dealing with "Owner Rights" ACEs when calculating maximum access
Jeremy Allison
jra at samba.org
Fri Mar 1 21:24:39 UTC 2019
On Fri, Mar 01, 2019 at 07:17:35PM +0100, Ralph Böhme wrote:
>
> From 7ab8d8c3c8dc22e875dfd30b4877e44dc6dc0329 Mon Sep 17 00:00:00 2001
> From: Ralph Boehme <slow at samba.org>
> Date: Fri, 1 Mar 2019 09:49:17 +0100
> Subject: [PATCH 2/9] s3:libsmb: add cli_query_mxac()
>
> Works only for SMB2. Is there a way to do this over SMB1?
> ---
> source3/libsmb/clisecdesc.c | 12 ++++++++++++
> source3/libsmb/proto.h | 4 ++++
> 2 files changed, 16 insertions(+)
>
> diff --git a/source3/libsmb/clisecdesc.c b/source3/libsmb/clisecdesc.c
> index c11e4b322ef..f9a7a057ed6 100644
> --- a/source3/libsmb/clisecdesc.c
> +++ b/source3/libsmb/clisecdesc.c
> @@ -91,6 +91,18 @@ NTSTATUS cli_query_secdesc(struct cli_state *cli, uint16_t fnum,
> return cli_query_security_descriptor(cli, fnum, sec_info, mem_ctx, sd);
> }
>
> +NTSTATUS cli_query_mxac(struct cli_state *cli,
> + const char *filename,
> + uint32_t *mxac)
> +{
> + if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
> + return NT_STATUS_NOT_SUPPORTED;
> + }
> +
> + return cli_smb2_query_mxac(cli, filename, mxac);
> +}
FYI, I think the max access is returned in SMB1 using
the EXTENDED_RESPONSE_REQUIRED flag to NTCreateX in
the flags field from:
flags = IVAL(req->vwv+3, 1);
Here's what we currently do in smbd code to return
this:
if (flags & EXTENDED_RESPONSE_REQUIRED) {
uint32_t perms = 0;
p += 25;
if (fsp->is_directory ||
fsp->can_write ||
can_write_to_file(conn, smb_fname)) {
perms = FILE_GENERIC_ALL;
} else {
perms = FILE_GENERIC_READ|FILE_EXECUTE;
}
SIVAL(p,0,perms);
}
i.e. we don't really support it correctly.
To be honest I think it really isn't worth the time
or effort implementing this client side or testing
over SMB1.
Just let it die... :-).
More information about the samba-technical
mailing list