diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 3d276431dc2..1dd40c0e06b 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -349,6 +349,13 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs, uid_t uid = geteuid(); uint32_t max_bits = SEC_RIGHTS_FILE_READ | SEC_FILE_ALL; + if ((pvfs->flags & PVFS_FLAG_READONLY) && + ((*access_mask) & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE | + SEC_DIR_DELETE_CHILD))) { + return NT_STATUS_ACCESS_DENIED; + } + /* owner and root get extra permissions */ if (uid == 0) { max_bits |= SEC_STD_ALL | SEC_FLAG_SYSTEM_SECURITY; @@ -390,6 +397,13 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs, NTSTATUS status; struct security_descriptor *sd; + if ((pvfs->flags & PVFS_FLAG_READONLY) && + ((*access_mask) & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE | + SEC_DIR_DELETE_CHILD))) { + return NT_STATUS_ACCESS_DENIED; + } + acl = talloc(req, struct xattr_NTACL); if (acl == NULL) { return NT_STATUS_NO_MEMORY;