The branch, v3-5-test has been updated
via 3834777... Fix bug 7581 - Users in "admin users" in smb.conf file
are unable to read/write all files when the acl_xattr vfs module is used.
from bb92b0e... s3-printing: fix BUG 7280 - auto printers not loading
with registry config
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit 383477789445d42d0d7451fea770c456625f16e1
Author: Jeremy Allison <j...@samba.org>
Date: Thu Aug 12 17:02:30 2010 -0700
Fix bug 7581 - Users in "admin users" in smb.conf file are unable to
read/write all files when the acl_xattr vfs module is used.
Correctly check admin users in smb1_file_se_access_check().
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/include/proto.h | 3 ++-
source3/modules/vfs_acl_common.c | 6 ++++--
source3/smbd/open.c | 31 +++++++++++++++++--------------
3 files changed, 23 insertions(+), 17 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 9da40b0..4d3fb63 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -6583,7 +6583,8 @@ void reply_nttranss(struct smb_request *req);
/* The following definitions come from smbd/open.c */
-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
+NTSTATUS smb1_file_se_access_check(connection_struct *conn,
+ const struct security_descriptor *sd,
const NT_USER_TOKEN *token,
uint32_t access_desired,
uint32_t *access_granted);
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 10781c4..abc4a62 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -471,7 +471,8 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct
*handle,
nt_errstr(status) ));
return status;
}
- status = smb1_file_se_access_check(parent_desc,
+ status = smb1_file_se_access_check(handle->conn,
+ parent_desc,
handle->conn->server_info->ptok,
access_mask,
&access_granted);
@@ -535,7 +536,8 @@ static int open_acl_common(vfs_handle_struct *handle,
&pdesc);
if (NT_STATUS_IS_OK(status)) {
/* See if we can access it. */
- status = smb1_file_se_access_check(pdesc,
+ status = smb1_file_se_access_check(handle->conn,
+ pdesc,
handle->conn->server_info->ptok,
fsp->access_mask,
&access_granted);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 120de0f..1bf7e23 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -49,11 +49,23 @@ static NTSTATUS create_file_unixpath(connection_struct
*conn,
SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES.
****************************************************************************/
-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
+NTSTATUS smb1_file_se_access_check(connection_struct *conn,
+ const struct security_descriptor *sd,
const NT_USER_TOKEN *token,
uint32_t access_desired,
uint32_t *access_granted)
{
+ *access_granted = 0;
+
+ if (conn->server_info->utok.uid == 0 || conn->admin_user) {
+ /* I'm sorry sir, I didn't know you were root... */
+ *access_granted = access_desired;
+ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+ *access_granted |= FILE_GENERIC_ALL;
+ }
+ return NT_STATUS_OK;
+ }
+
return se_access_check(sd,
token,
(access_desired & ~FILE_READ_ATTRIBUTES),
@@ -73,17 +85,6 @@ NTSTATUS smbd_check_open_rights(struct connection_struct
*conn,
NTSTATUS status;
struct security_descriptor *sd = NULL;
- *access_granted = 0;
-
- if (conn->server_info->utok.uid == 0 || conn->admin_user) {
- /* I'm sorry sir, I didn't know you were root... */
- *access_granted = access_mask;
- if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
- *access_granted |= FILE_GENERIC_ALL;
- }
- return NT_STATUS_OK;
- }
-
status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
(OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
@@ -97,7 +98,8 @@ NTSTATUS smbd_check_open_rights(struct connection_struct
*conn,
return status;
}
- status = smb1_file_se_access_check(sd,
+ status = smb1_file_se_access_check(conn,
+ sd,
conn->server_info->ptok,
access_mask,
access_granted);
@@ -1412,7 +1414,8 @@ static NTSTATUS calculate_access_mask(connection_struct
*conn,
return NT_STATUS_ACCESS_DENIED;
}
- status = smb1_file_se_access_check(sd,
+ status = smb1_file_se_access_check(conn,
+ sd,
conn->server_info->ptok,
access_mask,
&access_granted);
--
Samba Shared Repository
