summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2008-10-31 18:04:53 -0700
committerJeremy Allison <jra@samba.org>2008-10-31 18:04:53 -0700
commit54eaf2de74b4779919ae97b54abceb3878894bf6 (patch)
tree21ab7a23cc7f16d8c5afcae7d37c8305f214a7bb /source3/smbd
parent7ca8be13842a488691e33ba3edd0b714e5e3ae6a (diff)
downloadsamba-54eaf2de74b4779919ae97b54abceb3878894bf6.tar.gz
Get closer to passing S4 RAW-ACLs.
Jeremy.
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/open.c47
-rw-r--r--source3/smbd/trans2.c9
2 files changed, 48 insertions, 8 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 15645250054..5836c43afc4 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1370,16 +1370,53 @@ NTSTATUS open_file_ntcreate(connection_struct *conn,
}
}
- /* This is a nasty hack - must fix... JRA. */
- if (access_mask == MAXIMUM_ALLOWED_ACCESS) {
- open_access_mask = access_mask = FILE_GENERIC_ALL;
- }
-
/*
* Convert GENERIC bits to specific bits.
*/
se_map_generic(&access_mask, &file_generic_mapping);
+
+ /* Calculate MAXIMUM_ALLOWED_ACCESS if requested. */
+ if (access_mask & MAXIMUM_ALLOWED_ACCESS) {
+ if (file_existed) {
+ struct security_descriptor *sd;
+ uint32_t access_granted = 0;
+
+ status = SMB_VFS_GET_NT_ACL(conn, fname,
+ (OWNER_SECURITY_INFORMATION |
+ GROUP_SECURITY_INFORMATION |
+ DACL_SECURITY_INFORMATION),&sd);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("open_file_ntcreate: Could not get acl "
+ "on file %s: %s\n",
+ fname,
+ nt_errstr(status)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ status = se_access_check(sd, conn->server_info->ptok,
+ access_mask, &access_granted);
+
+ TALLOC_FREE(sd);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("open_file_ntcreate: Access denied on "
+ "file %s: when calculating maximum access\n",
+ fname));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ access_mask = access_granted;
+ /*
+ * According to Samba4, SEC_FILE_READ_ATTRIBUTE is always granted,
+ */
+ access_mask |= FILE_READ_ATTRIBUTES;
+ } else {
+ access_mask = FILE_GENERIC_ALL;
+ }
+ }
+
open_access_mask = access_mask;
if ((flags2 & O_TRUNC) || (oplock_request & FORCE_OPLOCK_BREAK_TO_NONE)) {
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 1da45a8b58c..a450a56e72a 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -3846,7 +3846,6 @@ static void call_trans2qfilepathinfo(connection_struct *conn,
files_struct *fsp = NULL;
struct file_id fileid;
struct ea_list *ea_list = NULL;
- uint32 access_mask = 0x12019F; /* Default - GENERIC_EXECUTE mapping from Windows */
char *lock_data = NULL;
bool ms_dfs_link = false;
TALLOC_CTX *ctx = talloc_tos();
@@ -3939,7 +3938,6 @@ static void call_trans2qfilepathinfo(connection_struct *conn,
pos = fsp->fh->position_information;
fileid = vfs_file_id_from_sbuf(conn, &sbuf);
get_file_infos(fileid, &delete_pending, &write_time_ts);
- access_mask = fsp->access_mask;
}
} else {
@@ -4403,7 +4401,12 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
case SMB_FILE_ACCESS_INFORMATION:
DEBUG(10,("call_trans2qfilepathinfo: SMB_FILE_ACCESS_INFORMATION\n"));
- SIVAL(pdata,0,access_mask);
+ if (fsp) {
+ SIVAL(pdata,0,fsp->access_mask);
+ } else {
+ /* GENERIC_EXECUTE mapping from Windows */
+ SIVAL(pdata,0,0x12019F);
+ }
data_size = 4;
break;