From c9876defe6c641adc9935d85fca50702974a14d6 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Wed, 4 Jul 2018 11:09:50 +1200 Subject: [PATCH] smbd/posix_acls: reuse secutiry token from session info if exist If session info was passed down from upstream, then try to use it to get security token, other then creating token every time. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521 Signed-off-by: Joe Guo Reviewed-by: Andrew Bartlett Reviewed-by: Gary Lockyer --- source3/smbd/posix_acls.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 70834d5fc7d..8cc9cf1f2fc 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1251,11 +1251,37 @@ static void ensure_minimal_owner_ace_perms(const bool is_directory, static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace ) { + bool is_sid = false; + bool has_sid = false; + struct security_token *security_token = NULL; + /* "Everyone" always matches every uid. */ if (dom_sid_equal(&group_ace->trustee, &global_sid_World)) return True; + /* + * if we have session info in conn, we already have the (SID + * based) NT token and don't need to do the complex + * user_in_group_sid() call + */ + if (conn->session_info) { + security_token = conn->session_info->security_token; + /* security_token should not be NULL */ + SMB_ASSERT(security_token); + is_sid = security_token_is_sid(security_token, + &uid_ace->trustee); + if (is_sid) { + has_sid = security_token_has_sid(security_token, + &group_ace->trustee); + + if (has_sid) { + return true; + } + } + + } + /* * if it's the current user, we already have the unix token * and don't need to do the complex user_in_group_sid() call