2025-03-11 16:58:40 +03:00 · 2011-07-11 18:09:44 +02:00 · 2011-07-11 18:09:44 +02:00 · 18f967a248
commit 18f967a248
parent 7c10b5e033
1 changed files with 30 additions and 0 deletions
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@ -28,6 +28,7 @@
 #include "msdfs.h"
 #include "auth.h"
 #include "lib/param/loadparm.h"
+#include "libcli/security/security.h"

 /**********************************************************************
 Parse a DFS pathname of the form \hostname\service\reqpath
@ -279,6 +280,35 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,

 	set_conn_connectpath(conn, connpath);

+	/*
+	 * New code to check if there's a share security descripter
+	 * added from NT server manager. This is done after the
+	 * smb.conf checks are done as we need a uid and token. JRA.
+	 *
+	 */
+	if (conn->session_info) {
+		share_access_check(conn->session_info->security_token,
+				   lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS,
+				   &conn->share_access);
+
+		if ((conn->share_access & FILE_WRITE_DATA) == 0) {
+			if ((conn->share_access & FILE_READ_DATA) == 0) {
+				/* No access, read or write. */
+				DEBUG(0,("create_conn_struct: connection to %s "
+					 "denied due to security "
+					 "descriptor.\n",
+					 lp_servicename(snum)));
+				conn_free(conn);
+				return NT_STATUS_ACCESS_DENIED;
+			} else {
+				conn->read_only = true;
+			}
+		}
+	} else {
+		conn->share_access = 0;
+		conn->read_only = true;
+	}
+
 	if (!smbd_vfs_init(conn)) {
 		NTSTATUS status = map_nt_error_from_unix(errno);
 		DEBUG(0,("create_conn_struct: smbd_vfs_init failed.\n"));