diff options
| author | Stefan Metzmacher <metze@samba.org> | 2020-12-03 14:51:52 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2020-12-17 13:59:38 +0000 |
| commit | 18dd953d83a5d43b243047d9dd622620034ee6c7 (patch) | |
| tree | 230d7db0af4c651eba1d508b66d79fe5bd505367 /python | |
| parent | 0ccdce67d3adfc06b6d8235b53d677da1526ba4b (diff) | |
| download | samba-18dd953d83a5d43b243047d9dd622620034ee6c7.tar.gz | |
libsmb_samba_internal: calculate the access_mask for {g,s}et_acl() based on the secinfo flags
SEC_FLAG_MAXIMUM_ALLOWED will never result in SEC_FLAG_SYSTEM_SECURITY
being granted. As SECINFO_SACL is part of the default secinfo value
(SECINFO_DEFAULT_FLAGS), {g,s}et_acl() will always return
NT_STATUS_ACCESS_DENIED by default.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'python')
| -rw-r--r-- | python/samba/samba3/libsmb_samba_internal.py | 77 |
1 files changed, 73 insertions, 4 deletions
diff --git a/python/samba/samba3/libsmb_samba_internal.py b/python/samba/samba3/libsmb_samba_internal.py index cb585294925..ef0b30d774b 100644 --- a/python/samba/samba3/libsmb_samba_internal.py +++ b/python/samba/samba3/libsmb_samba_internal.py @@ -31,11 +31,75 @@ class Conn(LibsmbCConn): security.SECINFO_DACL | \ security.SECINFO_SACL + def required_access_for_get_secinfo(self, secinfo): + access = 0 + + # + # This is based on MS-FSA + # 2.1.5.13 Server Requests a Query of Security Information + # + # Note that MS-SMB2 3.3.5.20.3 Handling SMB2_0_INFO_SECURITY + # doesn't specify any extra checks + # + + if secinfo & security.SECINFO_OWNER: + access |= security.SEC_STD_READ_CONTROL + if secinfo & security.SECINFO_GROUP: + access |= security.SEC_STD_READ_CONTROL + if secinfo & security.SECINFO_DACL: + access |= security.SEC_STD_READ_CONTROL + if secinfo & security.SECINFO_SACL: + access |= security.SEC_FLAG_SYSTEM_SECURITY + + if secinfo & security.SECINFO_LABEL: + access |= security.SEC_STD_READ_CONTROL + + return access + + def required_access_for_set_secinfo(self, secinfo): + access = 0 + + # + # This is based on MS-FSA + # 2.1.5.16 Server Requests Setting of Security Information + # and additional constraints from + # MS-SMB2 3.3.5.21.3 Handling SMB2_0_INFO_SECURITY + # + + if secinfo & security.SECINFO_OWNER: + access |= security.SEC_STD_WRITE_OWNER + if secinfo & security.SECINFO_GROUP: + access |= security.SEC_STD_WRITE_OWNER + if secinfo & security.SECINFO_DACL: + access |= security.SEC_STD_WRITE_DAC + if secinfo & security.SECINFO_SACL: + access |= security.SEC_FLAG_SYSTEM_SECURITY + + if secinfo & security.SECINFO_LABEL: + access |= security.SEC_STD_WRITE_OWNER + + if secinfo & security.SECINFO_ATTRIBUTE: + access |= security.SEC_STD_WRITE_DAC + + if secinfo & security.SECINFO_SCOPE: + access |= security.SEC_FLAG_SYSTEM_SECURITY + + if secinfo & security.SECINFO_BACKUP: + access |= security.SEC_STD_WRITE_OWNER + access |= security.SEC_STD_WRITE_DAC + access |= security.SEC_FLAG_SYSTEM_SECURITY + + return access + def get_acl(self, filename, - sinfo = SECINFO_DEFAULT_FLAGS, - access_mask = security.SEC_FLAG_MAXIMUM_ALLOWED): + sinfo=None, + access_mask=None): """Get security descriptor for file.""" + if sinfo is None: + sinfo = self.SECINFO_DEFAULT_FLAGS + if access_mask is None: + access_mask = self.required_access_for_get_secinfo(sinfo) fnum = self.create( Name=filename, DesiredAccess=access_mask, @@ -49,11 +113,16 @@ class Conn(LibsmbCConn): def set_acl(self, filename, sd, - sinfo = SECINFO_DEFAULT_FLAGS): + sinfo=None, + access_mask=None): """Set security descriptor for file.""" + if sinfo is None: + sinfo = self.SECINFO_DEFAULT_FLAGS + if access_mask is None: + access_mask = self.required_access_for_set_secinfo(sinfo) fnum = self.create( Name=filename, - DesiredAccess=security.SEC_FLAG_MAXIMUM_ALLOWED, + DesiredAccess=access_mask, ShareAccess=(FILE_SHARE_READ|FILE_SHARE_WRITE)) try: self.set_sd(fnum, sd, sinfo) |