1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

Final part of patchset to fix bug #8556 - ACL permissions ignored when SMBsetatr is requested.

This now plumbs access checks through all setattr calls.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Nov 16 04:20:04 CET 2011 on sn-devel-104
This commit is contained in:
Jeremy Allison 2011-11-15 17:29:59 -08:00
parent 865bc0c0ac
commit 05e841c82c
3 changed files with 51 additions and 16 deletions

View File

@ -1059,6 +1059,10 @@ int sys_statvfs(const char *path, vfs_statvfs_struct *statbuf);
/* The following definitions come from smbd/trans2.c */
NTSTATUS check_access(connection_struct *conn,
files_struct *fsp,
const struct smb_filename *smb_fname,
uint32_t access_mask);
uint64_t smb_roundup(connection_struct *conn, uint64_t val);
uint64_t get_FileIndex(connection_struct *conn, const SMB_STRUCT_STAT *psbuf);
NTSTATUS get_ea_value(TALLOC_CTX *mem_ctx, connection_struct *conn,

View File

@ -1275,6 +1275,13 @@ void reply_setatr(struct smb_request *req)
else
mode &= ~FILE_ATTRIBUTE_DIRECTORY;
status = check_access(conn, NULL, smb_fname,
FILE_WRITE_ATTRIBUTES);
if (!NT_STATUS_IS_OK(status)) {
reply_nterror(req, status);
goto out;
}
if (file_set_dosmode(conn, smb_fname, mode, NULL,
false) != 0) {
reply_nterror(req, map_nt_error_from_unix(errno));

View File

@ -49,6 +49,30 @@ static char *store_file_unix_basic_info2(connection_struct *conn,
files_struct *fsp,
const SMB_STRUCT_STAT *psbuf);
/********************************************************************
The canonical "check access" based on object handle or path function.
********************************************************************/
NTSTATUS check_access(connection_struct *conn,
files_struct *fsp,
const struct smb_filename *smb_fname,
uint32_t access_mask)
{
if (fsp) {
if (!(fsp->access_mask & access_mask)) {
return NT_STATUS_ACCESS_DENIED;
}
} else {
NTSTATUS status = smbd_check_access_rights(conn,
smb_fname,
access_mask);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
return NT_STATUS_OK;
}
/********************************************************************
Roundup a value to the nearest allocation roundup size boundary.
Only do this for Windows clients.
@ -504,14 +528,16 @@ static void canonicalize_ea_name(connection_struct *conn, files_struct *fsp, con
NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
const struct smb_filename *smb_fname, struct ea_list *ea_list)
{
NTSTATUS status;
char *fname = NULL;
if (!lp_ea_support(SNUM(conn))) {
return NT_STATUS_EAS_NOT_SUPPORTED;
}
if (fsp && !(fsp->access_mask & FILE_WRITE_EA)) {
return NT_STATUS_ACCESS_DENIED;
status = check_access(conn, fsp, smb_fname, FILE_WRITE_EA);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* For now setting EAs on streams isn't supported. */
@ -5540,6 +5566,8 @@ NTSTATUS smb_set_file_time(connection_struct *conn,
/****************************************************************************
Deal with setting the dosmode from any of the setfilepathinfo functions.
NB. The check for FILE_WRITE_ATTRIBUTES access on this path must have been
done before calling this function.
****************************************************************************/
static NTSTATUS smb_set_file_dosmode(connection_struct *conn,
@ -5724,10 +5752,6 @@ static NTSTATUS smb_info_set_ea(connection_struct *conn,
return NT_STATUS_INVALID_PARAMETER;
}
if (fsp && !(fsp->access_mask & FILE_WRITE_EA)) {
return NT_STATUS_ACCESS_DENIED;
}
status = set_ea(conn, fsp, smb_fname, ea_list);
return status;
@ -5771,10 +5795,6 @@ static NTSTATUS smb_set_file_full_ea_info(connection_struct *conn,
return NT_STATUS_INVALID_PARAMETER;
}
if (!(fsp->access_mask & FILE_WRITE_EA)) {
return NT_STATUS_ACCESS_DENIED;
}
status = set_ea(conn, fsp, fsp->fsp_name, ea_list);
DEBUG(10, ("smb_set_file_full_ea_info on file %s returned %s\n",
@ -6514,8 +6534,9 @@ static NTSTATUS smb_set_file_basic_info(connection_struct *conn,
return NT_STATUS_INVALID_PARAMETER;
}
if (fsp && !(fsp->access_mask & FILE_WRITE_ATTRIBUTES)) {
return NT_STATUS_ACCESS_DENIED;
status = check_access(conn, fsp, smb_fname, FILE_WRITE_ATTRIBUTES);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* Set the attributes */
@ -6554,6 +6575,7 @@ static NTSTATUS smb_set_info_standard(connection_struct *conn,
files_struct *fsp,
const struct smb_filename *smb_fname)
{
NTSTATUS status;
struct smb_file_time ft;
ZERO_STRUCT(ft);
@ -6572,8 +6594,9 @@ static NTSTATUS smb_set_info_standard(connection_struct *conn,
DEBUG(10,("smb_set_info_standard: file %s\n",
smb_fname_str_dbg(smb_fname)));
if (fsp && !(fsp->access_mask & FILE_WRITE_ATTRIBUTES)) {
return NT_STATUS_ACCESS_DENIED;
status = check_access(conn, fsp, smb_fname, FILE_WRITE_ATTRIBUTES);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return smb_set_file_time(conn,
@ -6946,8 +6969,9 @@ static NTSTATUS smb_set_file_unix_basic(connection_struct *conn,
}
#endif
if (fsp && !(fsp->access_mask & FILE_WRITE_ATTRIBUTES)) {
return NT_STATUS_ACCESS_DENIED;
status = check_access(conn, fsp, smb_fname, FILE_WRITE_ATTRIBUTES);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/*