1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

r17096: Simplify share_access_check a bit: It takes the sharename instead of the snum,

and the decision which token to use (conn or vuser) does not really belong
here, it is better done in the two places where this is called.

Volker
(This used to be commit 0a138888ad)
This commit is contained in:
Volker Lendecke 2006-07-17 19:50:59 +00:00 committed by Gerald (Jerry) Carter
parent 03f477b8a6
commit 283b74fce5
3 changed files with 23 additions and 19 deletions

View File

@ -320,36 +320,30 @@ static void map_generic_share_sd_bits(SEC_DESC *psd)
Can this user access with share with the required permissions ?
********************************************************************/
BOOL share_access_check(connection_struct *conn, int snum, user_struct *vuser, uint32 desired_access)
BOOL share_access_check(const NT_USER_TOKEN *token, const char *sharename,
uint32 desired_access)
{
uint32 granted;
NTSTATUS status;
TALLOC_CTX *mem_ctx = NULL;
SEC_DESC *psd = NULL;
size_t sd_size;
NT_USER_TOKEN *token = NULL;
BOOL ret = True;
mem_ctx = talloc_init("share_access_check");
if (mem_ctx == NULL)
if (!(mem_ctx = talloc_init("share_access_check"))) {
return False;
}
psd = get_share_security(mem_ctx, lp_servicename(snum), &sd_size);
psd = get_share_security(mem_ctx, sharename, &sd_size);
if (!psd)
goto out;
if (conn->nt_user_token)
token = conn->nt_user_token;
else
token = vuser->nt_user_token;
if (!psd) {
TALLOC_FREE(mem_ctx);
return True;
}
ret = se_access_check(psd, token, desired_access, &granted, &status);
out:
talloc_destroy(mem_ctx);
return ret;
}

View File

@ -767,11 +767,16 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
*/
{
BOOL can_write = share_access_check(conn, snum, vuser,
NT_USER_TOKEN *token = conn->nt_user_token ?
conn->nt_user_token : vuser->nt_user_token;
BOOL can_write = share_access_check(token,
lp_servicename(snum),
FILE_WRITE_DATA);
if (!can_write) {
if (!share_access_check(conn, snum, vuser,
if (!share_access_check(token,
lp_servicename(snum),
FILE_READ_DATA)) {
/* No access, read or write. */
DEBUG(0,("make_connection: connection to %s "

View File

@ -87,6 +87,7 @@ static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
unsigned int i;
struct vuid_cache_entry *ent = NULL;
BOOL readonly_share;
NT_USER_TOKEN *token;
for (i=0;i<conn->vuid_cache.entries && i< VUID_CACHE_SIZE;i++) {
if (conn->vuid_cache.array[i].vuid == vuser->vuid) {
@ -104,8 +105,12 @@ static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
vuser->nt_user_token,
SNUM(conn));
token = conn->nt_user_token ?
conn->nt_user_token : vuser->nt_user_token;
if (!readonly_share &&
!share_access_check(conn, snum, vuser, FILE_WRITE_DATA)) {
!share_access_check(token, lp_servicename(snum),
FILE_WRITE_DATA)) {
/* smb.conf allows r/w, but the security descriptor denies
* write. Fall back to looking at readonly. */
readonly_share = True;
@ -113,7 +118,7 @@ static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
"security descriptor\n"));
}
if (!share_access_check(conn, snum, vuser,
if (!share_access_check(token, lp_servicename(snum),
readonly_share ?
FILE_READ_DATA : FILE_WRITE_DATA)) {
return False;