mirror of
https://github.com/samba-team/samba.git
synced 2025-02-26 21:57:41 +03:00
Change get_nt_acl_no_snum() to return an NTSTATUS, not a struct security_descriptor *.
Internally change the implementation to use SMB_VFS_GET_NT_ACL() instead of SMB_VFS_FGET_NT_ACL() with a faked-up file struct. Andrew Bartlett Reviewed by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Andrew Bartlett
parent
a4434297f1
commit
236977bf46
@ -91,12 +91,15 @@ static bool elog_check_access( EVENTLOG_INFO *info, const struct security_token
|
||||
|
||||
/* get the security descriptor for the file */
|
||||
|
||||
sec_desc = get_nt_acl_no_snum( info, tdbname, SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL);
|
||||
status = get_nt_acl_no_snum( info,
|
||||
tdbname,
|
||||
SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL,
|
||||
&sec_desc);
|
||||
TALLOC_FREE( tdbname );
|
||||
|
||||
if ( !sec_desc ) {
|
||||
DEBUG(5,("elog_check_access: Unable to get NT ACL for %s\n",
|
||||
tdbname));
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(5,("elog_check_access: Unable to get NT ACL for %s: %s\n",
|
||||
tdbname, nt_errstr(status)));
|
||||
return False;
|
||||
}
|
||||
|
||||
|
||||
@ -4963,30 +4963,34 @@ bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *
|
||||
check. Caller is responsible for freeing the returned security
|
||||
descriptor via TALLOC_FREE(). This is designed for dealing with
|
||||
user space access checks in smbd outside of the VFS. For example,
|
||||
checking access rights in OpenEventlog().
|
||||
checking access rights in OpenEventlog() or from python.
|
||||
|
||||
Assume we are dealing with files (for now)
|
||||
********************************************************************/
|
||||
|
||||
struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted)
|
||||
NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname,
|
||||
uint32 security_info_wanted,
|
||||
struct security_descriptor **sd)
|
||||
{
|
||||
struct security_descriptor *ret_sd;
|
||||
connection_struct *conn;
|
||||
files_struct finfo;
|
||||
struct fd_handle fh;
|
||||
NTSTATUS status;
|
||||
TALLOC_CTX *frame = talloc_stackframe();
|
||||
connection_struct *conn;
|
||||
NTSTATUS status = NT_STATUS_OK;
|
||||
|
||||
if (!posix_locking_init(false)) {
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
conn = talloc_zero(frame, connection_struct);
|
||||
if (conn == NULL) {
|
||||
TALLOC_FREE(frame);
|
||||
DEBUG(0, ("talloc failed\n"));
|
||||
return NULL;
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
if (!(conn->params = talloc(conn, struct share_params))) {
|
||||
DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
|
||||
DEBUG(0, ("talloc failed\n"));
|
||||
TALLOC_FREE(frame);
|
||||
return NULL;
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
conn->params->service = -1;
|
||||
@ -4994,43 +4998,21 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna
|
||||
set_conn_connectpath(conn, "/");
|
||||
|
||||
if (!smbd_vfs_init(conn)) {
|
||||
DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n"));
|
||||
conn_free(conn);
|
||||
DEBUG(0,("smbd_vfs_init() failed!\n"));
|
||||
TALLOC_FREE(frame);
|
||||
return NULL;
|
||||
}
|
||||
return NT_STATUS_INTERNAL_ERROR;
|
||||
}
|
||||
|
||||
ZERO_STRUCT( finfo );
|
||||
ZERO_STRUCT( fh );
|
||||
|
||||
finfo.fnum = FNUM_FIELD_INVALID;
|
||||
finfo.conn = conn;
|
||||
finfo.fh = &fh;
|
||||
finfo.fh->fd = -1;
|
||||
|
||||
status = create_synthetic_smb_fname(frame, fname, NULL, NULL,
|
||||
&finfo.fsp_name);
|
||||
status = SMB_VFS_GET_NT_ACL(conn, fname, security_info_wanted, ctx, sd);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
conn_free(conn);
|
||||
TALLOC_FREE(frame);
|
||||
return NULL;
|
||||
DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n",
|
||||
nt_errstr(status)));
|
||||
}
|
||||
|
||||
if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo,
|
||||
security_info_wanted,
|
||||
ctx, &ret_sd))) {
|
||||
DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
|
||||
TALLOC_FREE(finfo.fsp_name);
|
||||
conn_free(conn);
|
||||
TALLOC_FREE(frame);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
TALLOC_FREE(finfo.fsp_name);
|
||||
conn_free(conn);
|
||||
TALLOC_FREE(frame);
|
||||
|
||||
return ret_sd;
|
||||
return status;
|
||||
}
|
||||
|
||||
/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
|
||||
|
||||
@ -732,7 +732,8 @@ bool set_unix_posix_default_acl(connection_struct *conn, const char *fname,
|
||||
const SMB_STRUCT_STAT *psbuf,
|
||||
uint16 num_def_acls, const char *pdata);
|
||||
bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata);
|
||||
struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted);
|
||||
NTSTATUS get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted,
|
||||
struct security_descriptor **sd);
|
||||
NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
|
||||
const char *name,
|
||||
SMB_STRUCT_STAT *psbuf,
|
||||
|
||||
@ -495,11 +495,13 @@ static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args)
|
||||
PyObject *py_sd;
|
||||
struct security_descriptor *sd;
|
||||
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
|
||||
NTSTATUS status;
|
||||
|
||||
if (!PyArg_ParseTuple(args, "si", &fname, &security_info_wanted))
|
||||
return NULL;
|
||||
|
||||
sd = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted);
|
||||
status = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted, &sd);
|
||||
PyErr_NTSTATUS_IS_ERR_RAISE(status);
|
||||
|
||||
py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user