mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
libsmb_samba_internal: calculate the access_mask for {g,s}et_acl() based on the secinfo flags
SEC_FLAG_MAXIMUM_ALLOWED will never result in SEC_FLAG_SYSTEM_SECURITY being granted. As SECINFO_SACL is part of the default secinfo value (SECINFO_DEFAULT_FLAGS), {g,s}et_acl() will always return NT_STATUS_ACCESS_DENIED by default. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
parent
0ccdce67d3
commit
18dd953d83
@ -31,11 +31,75 @@ class Conn(LibsmbCConn):
|
||||
security.SECINFO_DACL | \
|
||||
security.SECINFO_SACL
|
||||
|
||||
def required_access_for_get_secinfo(self, secinfo):
|
||||
access = 0
|
||||
|
||||
#
|
||||
# This is based on MS-FSA
|
||||
# 2.1.5.13 Server Requests a Query of Security Information
|
||||
#
|
||||
# Note that MS-SMB2 3.3.5.20.3 Handling SMB2_0_INFO_SECURITY
|
||||
# doesn't specify any extra checks
|
||||
#
|
||||
|
||||
if secinfo & security.SECINFO_OWNER:
|
||||
access |= security.SEC_STD_READ_CONTROL
|
||||
if secinfo & security.SECINFO_GROUP:
|
||||
access |= security.SEC_STD_READ_CONTROL
|
||||
if secinfo & security.SECINFO_DACL:
|
||||
access |= security.SEC_STD_READ_CONTROL
|
||||
if secinfo & security.SECINFO_SACL:
|
||||
access |= security.SEC_FLAG_SYSTEM_SECURITY
|
||||
|
||||
if secinfo & security.SECINFO_LABEL:
|
||||
access |= security.SEC_STD_READ_CONTROL
|
||||
|
||||
return access
|
||||
|
||||
def required_access_for_set_secinfo(self, secinfo):
|
||||
access = 0
|
||||
|
||||
#
|
||||
# This is based on MS-FSA
|
||||
# 2.1.5.16 Server Requests Setting of Security Information
|
||||
# and additional constraints from
|
||||
# MS-SMB2 3.3.5.21.3 Handling SMB2_0_INFO_SECURITY
|
||||
#
|
||||
|
||||
if secinfo & security.SECINFO_OWNER:
|
||||
access |= security.SEC_STD_WRITE_OWNER
|
||||
if secinfo & security.SECINFO_GROUP:
|
||||
access |= security.SEC_STD_WRITE_OWNER
|
||||
if secinfo & security.SECINFO_DACL:
|
||||
access |= security.SEC_STD_WRITE_DAC
|
||||
if secinfo & security.SECINFO_SACL:
|
||||
access |= security.SEC_FLAG_SYSTEM_SECURITY
|
||||
|
||||
if secinfo & security.SECINFO_LABEL:
|
||||
access |= security.SEC_STD_WRITE_OWNER
|
||||
|
||||
if secinfo & security.SECINFO_ATTRIBUTE:
|
||||
access |= security.SEC_STD_WRITE_DAC
|
||||
|
||||
if secinfo & security.SECINFO_SCOPE:
|
||||
access |= security.SEC_FLAG_SYSTEM_SECURITY
|
||||
|
||||
if secinfo & security.SECINFO_BACKUP:
|
||||
access |= security.SEC_STD_WRITE_OWNER
|
||||
access |= security.SEC_STD_WRITE_DAC
|
||||
access |= security.SEC_FLAG_SYSTEM_SECURITY
|
||||
|
||||
return access
|
||||
|
||||
def get_acl(self,
|
||||
filename,
|
||||
sinfo = SECINFO_DEFAULT_FLAGS,
|
||||
access_mask = security.SEC_FLAG_MAXIMUM_ALLOWED):
|
||||
sinfo=None,
|
||||
access_mask=None):
|
||||
"""Get security descriptor for file."""
|
||||
if sinfo is None:
|
||||
sinfo = self.SECINFO_DEFAULT_FLAGS
|
||||
if access_mask is None:
|
||||
access_mask = self.required_access_for_get_secinfo(sinfo)
|
||||
fnum = self.create(
|
||||
Name=filename,
|
||||
DesiredAccess=access_mask,
|
||||
@ -49,11 +113,16 @@ class Conn(LibsmbCConn):
|
||||
def set_acl(self,
|
||||
filename,
|
||||
sd,
|
||||
sinfo = SECINFO_DEFAULT_FLAGS):
|
||||
sinfo=None,
|
||||
access_mask=None):
|
||||
"""Set security descriptor for file."""
|
||||
if sinfo is None:
|
||||
sinfo = self.SECINFO_DEFAULT_FLAGS
|
||||
if access_mask is None:
|
||||
access_mask = self.required_access_for_set_secinfo(sinfo)
|
||||
fnum = self.create(
|
||||
Name=filename,
|
||||
DesiredAccess=security.SEC_FLAG_MAXIMUM_ALLOWED,
|
||||
DesiredAccess=access_mask,
|
||||
ShareAccess=(FILE_SHARE_READ|FILE_SHARE_WRITE))
|
||||
try:
|
||||
self.set_sd(fnum, sd, sinfo)
|
||||
|
Loading…
Reference in New Issue
Block a user