s3/smbd: fix access checks in set_ea_dos_attribute()

We wanted to set the DOS attributes and failed with permission denied
from the VFS/kernel/filesystem. Next thing we wanna do here is override
this if either

- "dos filemode = true" is set and the security descriptor gives the
  user write access or if

- the stored security descriptor has FILE_WRITE_ATTRIBUTES

The former was working, but the latter was not implemented at all.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12995

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 143d26283d)

source3/smbd/dosmode.c

@@ -464,6 +464,7 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn,
 		NTSTATUS status = NT_STATUS_OK;
 		bool need_close = false;
 		files_struct *fsp = NULL;
+		bool set_dosmode_ok = false;
 
 		if ((errno != EPERM) && (errno != EACCES)) {
 			DBG_INFO("Cannot set "
@@ -477,10 +478,21 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn,
 		*/
 
 		/* Check if we have write access. */
-		if (!CAN_WRITE(conn) || !lp_dos_filemode(SNUM(conn)))
+		if (!CAN_WRITE(conn)) {
 			return NT_STATUS_ACCESS_DENIED;
+		}
 
-		if (!can_write_to_file(conn, smb_fname)) {
+		status = smbd_check_access_rights(conn, smb_fname, false,
+						  FILE_WRITE_ATTRIBUTES);
+		if (NT_STATUS_IS_OK(status)) {
+			set_dosmode_ok = true;
+		}
+
+		if (!set_dosmode_ok && lp_dos_filemode(SNUM(conn))) {
+			set_dosmode_ok = can_write_to_file(conn, smb_fname);
+		}
+
+		if (!set_dosmode_ok) {
 			return NT_STATUS_ACCESS_DENIED;
 		}