sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-11 16:58:40 +03:00
Code

s3: smbd: Allow fchmod from the NFS-style mode ACL in set_nt_acl() for a SMB2 POSIX handle.

Browse Source 
To set a mode, send a one-element ACL.

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 27 19:31:01 UTC 2023 on atb-devel-224
This commit is contained in:
Jeremy Allison 2018-03-01 14:37:52 -08:00
parent 631e6aa0d0
commit 8f42b8431e
1 changed files with 68 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
source3/smbd/smb2_nttrans.c
View File

@ -167,6 +167,50 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
return status; return status;
} }
static bool check_smb2_posix_chmod_ace(const struct files_struct *fsp,
uint32_t security_info_sent,
struct security_descriptor *psd,
mode_t *pmode)
{
int cmp;
/*
* This must be an ACL with one ACE containing an
* MS NFS style mode entry coming in on a POSIX
* handle over SMB2+.
*/
if (!fsp->conn->sconn->using_smb2) {
return false;
}
if (!(fsp->posix_flags & FSP_POSIX_FLAGS_OPEN)) {
return false;
}
if (!(security_info_sent & SECINFO_DACL)) {
return false;
}
if (psd->dacl == NULL) {
return false;
}
if (psd->dacl->num_aces != 1) {
return false;
}
cmp = dom_sid_compare_domain(&global_sid_Unix_NFS_Mode,
&psd->dacl->aces[0].trustee);
if (cmp != 0) {
return false;
}
*pmode = (mode_t)psd->dacl->aces[0].trustee.sub_auths[2];
*pmode &= (S_IRWXU | S_IRWXG | S_IRWXO);
return true;
}
/**************************************************************************** /****************************************************************************
Internal fn to set security descriptors from a data blob. Internal fn to set security descriptors from a data blob.
****************************************************************************/ ****************************************************************************/
@ -176,6 +220,9 @@ NTSTATUS set_sd_blob(files_struct *fsp, uint8_t *data, uint32_t sd_len,
{ {
struct security_descriptor *psd = NULL; struct security_descriptor *psd = NULL;
NTSTATUS status; NTSTATUS status;
bool do_chmod = false;
mode_t smb2_posix_mode = 0;
int ret;
if (sd_len == 0) { if (sd_len == 0) {
return NT_STATUS_INVALID_PARAMETER; return NT_STATUS_INVALID_PARAMETER;
@ -187,7 +234,27 @@ NTSTATUS set_sd_blob(files_struct *fsp, uint8_t *data, uint32_t sd_len,
return status; return status;
} }
return set_sd(fsp, psd, security_info_sent); do_chmod = check_smb2_posix_chmod_ace(fsp,
security_info_sent,
psd,
&smb2_posix_mode);
if (!do_chmod) {
return set_sd(fsp, psd, security_info_sent);
}
TALLOC_FREE(psd);
ret = SMB_VFS_FCHMOD(fsp, smb2_posix_mode);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
DBG_ERR("smb2_posix_chmod [%s] [%04o] failed: %s\n",
fsp_str_dbg(fsp),
(unsigned)smb2_posix_mode,
nt_errstr(status));
return status;
}
return NT_STATUS_OK;
} }
/**************************************************************************** /****************************************************************************