The branch, master has been updated
via cde73e2 Remove opendir() VFS code from ACL modules.
via a763eda Call check_parent_access() on readdir.
via a11c0a4 Change function signature of check_parent_access() to take
char * instead of struct smb_filename.
from f5fde21 s4-socket: do not segfault if the socket is NULL
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit cde73e2ecec75f0b068555203962b43a4438d349
Author: Jeremy Allison <j...@samba.org>
Date: Mon Oct 31 12:38:36 2011 -0700
Remove opendir() VFS code from ACL modules.
Autobuild-User: Jeremy Allison <j...@samba.org>
Autobuild-Date: Wed Nov 2 02:13:51 CET 2011 on sn-devel-104
commit a763edaf9c76afe2546c035fc090370301dd347b
Author: Jeremy Allison <j...@samba.org>
Date: Mon Oct 31 12:38:20 2011 -0700
Call check_parent_access() on readdir.
commit a11c0a41a35aa2b1c14333552045a65e3e50df1e
Author: Jeremy Allison <j...@samba.org>
Date: Mon Oct 31 12:37:39 2011 -0700
Change function signature of check_parent_access() to take char * instead
of struct smb_filename.
Expose it so it can be called from directory code.
-----------------------------------------------------------------------
Summary of changes:
source3/modules/vfs_acl_common.c | 48 --------------------------------------
source3/modules/vfs_acl_tdb.c | 1 -
source3/modules/vfs_acl_xattr.c | 1 -
source3/smbd/dir.c | 13 ++++++++++
source3/smbd/open.c | 12 ++++----
source3/smbd/proto.h | 4 +++
6 files changed, 23 insertions(+), 56 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 14ac6f7..aebf0ae 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -564,41 +564,6 @@ static NTSTATUS get_parent_acl_common(vfs_handle_struct
*handle,
return status;
}
-static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
- const char *path,
- uint32_t access_mask,
- struct security_descriptor **pp_parent_desc)
-{
- char *parent_name = NULL;
- struct security_descriptor *parent_desc = NULL;
- uint32_t access_granted = 0;
- NTSTATUS status;
-
- status = get_parent_acl_common(handle, path, &parent_desc);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- if (pp_parent_desc) {
- *pp_parent_desc = parent_desc;
- }
- status = smb1_file_se_access_check(handle->conn,
- parent_desc,
- get_current_nttok(handle->conn),
- access_mask,
- &access_granted);
- if(!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("check_parent_acl_common: access check "
- "on directory %s for "
- "path %s for mask 0x%x returned %s\n",
- parent_name,
- path,
- access_mask,
- nt_errstr(status) ));
- return status;
- }
- return NT_STATUS_OK;
-}
-
/*********************************************************************
Fetch a security descriptor given an fsp.
*********************************************************************/
@@ -701,19 +666,6 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct
*handle, files_struct *fsp,
return NT_STATUS_OK;
}
-static SMB_STRUCT_DIR *opendir_acl_common(vfs_handle_struct *handle,
- const char *fname, const char *mask, uint32 attr)
-{
- NTSTATUS status = check_parent_acl_common(handle, fname,
- SEC_DIR_LIST, NULL);
-
- if (!NT_STATUS_IS_OK(status)) {
- errno = map_errno_from_nt_status(status);
- return NULL;
- }
- return SMB_VFS_NEXT_OPENDIR(handle, fname, mask, attr);
-}
-
static int acl_common_remove_object(vfs_handle_struct *handle,
const char *path,
bool is_directory)
diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
index a4869c0..647d133 100644
--- a/source3/modules/vfs_acl_tdb.c
+++ b/source3/modules/vfs_acl_tdb.c
@@ -400,7 +400,6 @@ static int sys_acl_set_fd_tdb(vfs_handle_struct *handle,
static struct vfs_fn_pointers vfs_acl_tdb_fns = {
.connect_fn = connect_acl_tdb,
.disconnect = disconnect_acl_tdb,
- .opendir = opendir_acl_common,
.rmdir = rmdir_acl_tdb,
.create_file = create_file_acl_common,
.unlink = unlink_acl_tdb,
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 473c2fc..f1a2e89 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -201,7 +201,6 @@ static int connect_acl_xattr(struct vfs_handle_struct
*handle,
static struct vfs_fn_pointers vfs_acl_xattr_fns = {
.connect_fn = connect_acl_xattr,
- .opendir = opendir_acl_common,
.rmdir = rmdir_acl_common,
.create_file = create_file_acl_common,
.unlink = unlink_acl_common,
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index cc74886..18c5935 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -427,6 +427,7 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct
*fsp,
struct smbd_server_connection *sconn = conn->sconn;
struct dptr_struct *dptr = NULL;
struct smb_Dir *dir_hnd;
+ NTSTATUS status;
if (fsp && fsp->is_directory && fsp->fh->fd != -1) {
path = fsp->fsp_name->base_name;
@@ -443,6 +444,18 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct
*fsp,
return NT_STATUS_INVALID_PARAMETER;
}
+ status = check_parent_access(conn,
+ path,
+ SEC_DIR_LIST,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5,("dptr_create: parent access check for path "
+ "%s failed with %s\n",
+ path,
+ nt_errstr(status)));
+ return status;
+ }
+
if (fsp) {
dir_hnd = OpenDir_fsp(NULL, conn, fsp, wcard, attr);
} else {
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 42edddc..e8c24a0 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -201,8 +201,8 @@ static NTSTATUS smbd_check_open_rights(struct
connection_struct *conn,
}
}
-static NTSTATUS check_parent_access(struct connection_struct *conn,
- struct smb_filename *smb_fname,
+NTSTATUS check_parent_access(struct connection_struct *conn,
+ const char *path,
uint32_t access_mask,
char **pp_parent_dir)
{
@@ -212,7 +212,7 @@ static NTSTATUS check_parent_access(struct
connection_struct *conn,
uint32_t access_granted = 0;
if (!parent_dirname(talloc_tos(),
- smb_fname->base_name,
+ path,
&parent_dir,
NULL)) {
return NT_STATUS_NO_MEMORY;
@@ -241,7 +241,7 @@ static NTSTATUS check_parent_access(struct
connection_struct *conn,
"on directory %s for "
"path %s for mask 0x%x returned (0x%x) %s\n",
parent_dir,
- smb_fname->base_name,
+ path,
access_mask,
access_granted,
nt_errstr(status) ));
@@ -618,7 +618,7 @@ static NTSTATUS open_file(files_struct *fsp,
access_mask);
} else if (local_flags & O_CREAT){
status = check_parent_access(conn,
- smb_fname,
+ smb_fname->base_name,
SEC_DIR_ADD_FILE,
NULL);
} else {
@@ -2564,7 +2564,7 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
}
status = check_parent_access(conn,
- smb_dname,
+ smb_dname->base_name,
access_mask,
&parent_dir);
if(!NT_STATUS_IS_OK(status)) {
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 343b0b9..351fc49 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -585,6 +585,10 @@ NTSTATUS smb1_file_se_access_check(connection_struct *conn,
const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted);
+NTSTATUS check_parent_access(struct connection_struct *conn,
+ const char *path,
+ uint32_t access_mask,
+ char **pp_parent_dir);
NTSTATUS fd_close(files_struct *fsp);
void change_file_owner_to_parent(connection_struct *conn,
const char *inherit_from_dir,
--
Samba Shared Repository
