1 files changed, 73 insertions, 4 deletions

diff --git a/python/samba/samba3/libsmb_samba_internal.py b/python/samba/samba3/libsmb_samba_internal.py
index cb585294925..ef0b30d774b 100644
--- a/python/samba/samba3/libsmb_samba_internal.py
+++ b/python/samba/samba3/libsmb_samba_internal.py
@@ -31,11 +31,75 @@ class Conn(LibsmbCConn):
         security.SECINFO_DACL | \
         security.SECINFO_SACL
 
+    def required_access_for_get_secinfo(self, secinfo):
+        access = 0
+
+        #
+        # This is based on MS-FSA
+        # 2.1.5.13 Server Requests a Query of Security Information
+        #
+        # Note that MS-SMB2 3.3.5.20.3 Handling SMB2_0_INFO_SECURITY
+        # doesn't specify any extra checks
+        #
+
+        if secinfo & security.SECINFO_OWNER:
+            access |= security.SEC_STD_READ_CONTROL
+        if secinfo & security.SECINFO_GROUP:
+            access |= security.SEC_STD_READ_CONTROL
+        if secinfo & security.SECINFO_DACL:
+            access |= security.SEC_STD_READ_CONTROL
+        if secinfo & security.SECINFO_SACL:
+            access |= security.SEC_FLAG_SYSTEM_SECURITY
+
+        if secinfo & security.SECINFO_LABEL:
+            access |= security.SEC_STD_READ_CONTROL
+
+        return access
+
+    def required_access_for_set_secinfo(self, secinfo):
+        access = 0
+
+        #
+        # This is based on MS-FSA
+        # 2.1.5.16 Server Requests Setting of Security Information
+        # and additional constraints from
+        # MS-SMB2 3.3.5.21.3 Handling SMB2_0_INFO_SECURITY
+        #
+
+        if secinfo & security.SECINFO_OWNER:
+            access |= security.SEC_STD_WRITE_OWNER
+        if secinfo & security.SECINFO_GROUP:
+            access |= security.SEC_STD_WRITE_OWNER
+        if secinfo & security.SECINFO_DACL:
+            access |= security.SEC_STD_WRITE_DAC
+        if secinfo & security.SECINFO_SACL:
+            access |= security.SEC_FLAG_SYSTEM_SECURITY
+
+        if secinfo & security.SECINFO_LABEL:
+            access |= security.SEC_STD_WRITE_OWNER
+
+        if secinfo & security.SECINFO_ATTRIBUTE:
+            access |= security.SEC_STD_WRITE_DAC
+
+        if secinfo & security.SECINFO_SCOPE:
+            access |= security.SEC_FLAG_SYSTEM_SECURITY
+
+        if secinfo & security.SECINFO_BACKUP:
+            access |= security.SEC_STD_WRITE_OWNER
+            access |= security.SEC_STD_WRITE_DAC
+            access |= security.SEC_FLAG_SYSTEM_SECURITY
+
+        return access
+
     def get_acl(self,
                 filename,
-                sinfo = SECINFO_DEFAULT_FLAGS,
-                access_mask = security.SEC_FLAG_MAXIMUM_ALLOWED):
+                sinfo=None,
+                access_mask=None):
         """Get security descriptor for file."""
+        if sinfo is None:
+            sinfo = self.SECINFO_DEFAULT_FLAGS
+        if access_mask is None:
+            access_mask = self.required_access_for_get_secinfo(sinfo)
         fnum = self.create(
             Name=filename,
             DesiredAccess=access_mask,
@@ -49,11 +113,16 @@ class Conn(LibsmbCConn):
     def set_acl(self,
                 filename,
                 sd,
-                sinfo = SECINFO_DEFAULT_FLAGS):
+                sinfo=None,
+                access_mask=None):
         """Set security descriptor for file."""
+        if sinfo is None:
+            sinfo = self.SECINFO_DEFAULT_FLAGS
+        if access_mask is None:
+            access_mask = self.required_access_for_set_secinfo(sinfo)
         fnum = self.create(
             Name=filename,
-            DesiredAccess=security.SEC_FLAG_MAXIMUM_ALLOWED,
+            DesiredAccess=access_mask,
             ShareAccess=(FILE_SHARE_READ|FILE_SHARE_WRITE))
         try:
             self.set_sd(fnum, sd, sinfo)