1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

Add comments explaining exactly *why* we don't check FILE_READ_ATTRIBUTES when evaluating file/directory ACE's.

If we can access the path to this file, by
default we have FILE_READ_ATTRIBUTES from the
containing directory. See the section.
"Algorithm to Check Access to an Existing File"
in MS-FSA.pdf.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
This commit is contained in:
Jeremy Allison 2012-11-14 14:40:50 -08:00 committed by Michael Adam
parent e6a100e86b
commit 4985332b95

View File

@ -131,7 +131,13 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
}
/*
* Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of
* If we can access the path to this file, by
* default we have FILE_READ_ATTRIBUTES from the
* containing directory. See the section:
* "Algorithm to Check Access to an Existing File"
* in MS-FSA.pdf.
*
* se_file_access_check() also takes care of
* owner WRITE_DAC and READ_CONTROL.
*/
status = se_file_access_check(sd,
@ -249,7 +255,13 @@ static NTSTATUS check_parent_access(struct connection_struct *conn,
}
/*
* Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of
* If we can access the path to this file, by
* default we have FILE_READ_ATTRIBUTES from the
* containing directory. See the section:
* "Algorithm to Check Access to an Existing File"
* in MS-FSA.pdf.
*
* se_file_access_check() also takes care of
* owner WRITE_DAC and READ_CONTROL.
*/
status = se_file_access_check(parent_sd,
@ -1704,7 +1716,13 @@ static NTSTATUS smbd_calculate_maximum_allowed_access(
}
/*
* Never test FILE_READ_ATTRIBUTES. se_file_access_check()
* If we can access the path to this file, by
* default we have FILE_READ_ATTRIBUTES from the
* containing directory. See the section:
* "Algorithm to Check Access to an Existing File"
* in MS-FSA.pdf.
*
* se_file_access_check()
* also takes care of owner WRITE_DAC and READ_CONTROL.
*/
status = se_file_access_check(sd,