mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
Add comments explaining exactly *why* we don't check FILE_READ_ATTRIBUTES when evaluating file/directory ACE's.
If we can access the path to this file, by default we have FILE_READ_ATTRIBUTES from the containing directory. See the section. "Algorithm to Check Access to an Existing File" in MS-FSA.pdf. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
This commit is contained in:
parent
e6a100e86b
commit
4985332b95
@ -131,7 +131,13 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
|
||||
}
|
||||
|
||||
/*
|
||||
* Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of
|
||||
* If we can access the path to this file, by
|
||||
* default we have FILE_READ_ATTRIBUTES from the
|
||||
* containing directory. See the section:
|
||||
* "Algorithm to Check Access to an Existing File"
|
||||
* in MS-FSA.pdf.
|
||||
*
|
||||
* se_file_access_check() also takes care of
|
||||
* owner WRITE_DAC and READ_CONTROL.
|
||||
*/
|
||||
status = se_file_access_check(sd,
|
||||
@ -249,7 +255,13 @@ static NTSTATUS check_parent_access(struct connection_struct *conn,
|
||||
}
|
||||
|
||||
/*
|
||||
* Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of
|
||||
* If we can access the path to this file, by
|
||||
* default we have FILE_READ_ATTRIBUTES from the
|
||||
* containing directory. See the section:
|
||||
* "Algorithm to Check Access to an Existing File"
|
||||
* in MS-FSA.pdf.
|
||||
*
|
||||
* se_file_access_check() also takes care of
|
||||
* owner WRITE_DAC and READ_CONTROL.
|
||||
*/
|
||||
status = se_file_access_check(parent_sd,
|
||||
@ -1704,7 +1716,13 @@ static NTSTATUS smbd_calculate_maximum_allowed_access(
|
||||
}
|
||||
|
||||
/*
|
||||
* Never test FILE_READ_ATTRIBUTES. se_file_access_check()
|
||||
* If we can access the path to this file, by
|
||||
* default we have FILE_READ_ATTRIBUTES from the
|
||||
* containing directory. See the section:
|
||||
* "Algorithm to Check Access to an Existing File"
|
||||
* in MS-FSA.pdf.
|
||||
*
|
||||
* se_file_access_check()
|
||||
* also takes care of owner WRITE_DAC and READ_CONTROL.
|
||||
*/
|
||||
status = se_file_access_check(sd,
|
||||
|
Loading…
Reference in New Issue
Block a user