The branch, master has been updated via cde73e2 Remove opendir() VFS code from ACL modules. via a763eda Call check_parent_access() on readdir. via a11c0a4 Change function signature of check_parent_access() to take char * instead of struct smb_filename. from f5fde21 s4-socket: do not segfault if the socket is NULL
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit cde73e2ecec75f0b068555203962b43a4438d349 Author: Jeremy Allison <j...@samba.org> Date: Mon Oct 31 12:38:36 2011 -0700 Remove opendir() VFS code from ACL modules. Autobuild-User: Jeremy Allison <j...@samba.org> Autobuild-Date: Wed Nov 2 02:13:51 CET 2011 on sn-devel-104 commit a763edaf9c76afe2546c035fc090370301dd347b Author: Jeremy Allison <j...@samba.org> Date: Mon Oct 31 12:38:20 2011 -0700 Call check_parent_access() on readdir. commit a11c0a41a35aa2b1c14333552045a65e3e50df1e Author: Jeremy Allison <j...@samba.org> Date: Mon Oct 31 12:37:39 2011 -0700 Change function signature of check_parent_access() to take char * instead of struct smb_filename. Expose it so it can be called from directory code. ----------------------------------------------------------------------- Summary of changes: source3/modules/vfs_acl_common.c | 48 -------------------------------------- source3/modules/vfs_acl_tdb.c | 1 - source3/modules/vfs_acl_xattr.c | 1 - source3/smbd/dir.c | 13 ++++++++++ source3/smbd/open.c | 12 ++++---- source3/smbd/proto.h | 4 +++ 6 files changed, 23 insertions(+), 56 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index 14ac6f7..aebf0ae 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -564,41 +564,6 @@ static NTSTATUS get_parent_acl_common(vfs_handle_struct *handle, return status; } -static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle, - const char *path, - uint32_t access_mask, - struct security_descriptor **pp_parent_desc) -{ - char *parent_name = NULL; - struct security_descriptor *parent_desc = NULL; - uint32_t access_granted = 0; - NTSTATUS status; - - status = get_parent_acl_common(handle, path, &parent_desc); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - if (pp_parent_desc) { - *pp_parent_desc = parent_desc; - } - status = smb1_file_se_access_check(handle->conn, - parent_desc, - get_current_nttok(handle->conn), - access_mask, - &access_granted); - if(!NT_STATUS_IS_OK(status)) { - DEBUG(10,("check_parent_acl_common: access check " - "on directory %s for " - "path %s for mask 0x%x returned %s\n", - parent_name, - path, - access_mask, - nt_errstr(status) )); - return status; - } - return NT_STATUS_OK; -} - /********************************************************************* Fetch a security descriptor given an fsp. *********************************************************************/ @@ -701,19 +666,6 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, return NT_STATUS_OK; } -static SMB_STRUCT_DIR *opendir_acl_common(vfs_handle_struct *handle, - const char *fname, const char *mask, uint32 attr) -{ - NTSTATUS status = check_parent_acl_common(handle, fname, - SEC_DIR_LIST, NULL); - - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - return NULL; - } - return SMB_VFS_NEXT_OPENDIR(handle, fname, mask, attr); -} - static int acl_common_remove_object(vfs_handle_struct *handle, const char *path, bool is_directory) diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c index a4869c0..647d133 100644 --- a/source3/modules/vfs_acl_tdb.c +++ b/source3/modules/vfs_acl_tdb.c @@ -400,7 +400,6 @@ static int sys_acl_set_fd_tdb(vfs_handle_struct *handle, static struct vfs_fn_pointers vfs_acl_tdb_fns = { .connect_fn = connect_acl_tdb, .disconnect = disconnect_acl_tdb, - .opendir = opendir_acl_common, .rmdir = rmdir_acl_tdb, .create_file = create_file_acl_common, .unlink = unlink_acl_tdb, diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index 473c2fc..f1a2e89 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -201,7 +201,6 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, static struct vfs_fn_pointers vfs_acl_xattr_fns = { .connect_fn = connect_acl_xattr, - .opendir = opendir_acl_common, .rmdir = rmdir_acl_common, .create_file = create_file_acl_common, .unlink = unlink_acl_common, diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index cc74886..18c5935 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -427,6 +427,7 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct *fsp, struct smbd_server_connection *sconn = conn->sconn; struct dptr_struct *dptr = NULL; struct smb_Dir *dir_hnd; + NTSTATUS status; if (fsp && fsp->is_directory && fsp->fh->fd != -1) { path = fsp->fsp_name->base_name; @@ -443,6 +444,18 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct *fsp, return NT_STATUS_INVALID_PARAMETER; } + status = check_parent_access(conn, + path, + SEC_DIR_LIST, + NULL); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(5,("dptr_create: parent access check for path " + "%s failed with %s\n", + path, + nt_errstr(status))); + return status; + } + if (fsp) { dir_hnd = OpenDir_fsp(NULL, conn, fsp, wcard, attr); } else { diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 42edddc..e8c24a0 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -201,8 +201,8 @@ static NTSTATUS smbd_check_open_rights(struct connection_struct *conn, } } -static NTSTATUS check_parent_access(struct connection_struct *conn, - struct smb_filename *smb_fname, +NTSTATUS check_parent_access(struct connection_struct *conn, + const char *path, uint32_t access_mask, char **pp_parent_dir) { @@ -212,7 +212,7 @@ static NTSTATUS check_parent_access(struct connection_struct *conn, uint32_t access_granted = 0; if (!parent_dirname(talloc_tos(), - smb_fname->base_name, + path, &parent_dir, NULL)) { return NT_STATUS_NO_MEMORY; @@ -241,7 +241,7 @@ static NTSTATUS check_parent_access(struct connection_struct *conn, "on directory %s for " "path %s for mask 0x%x returned (0x%x) %s\n", parent_dir, - smb_fname->base_name, + path, access_mask, access_granted, nt_errstr(status) )); @@ -618,7 +618,7 @@ static NTSTATUS open_file(files_struct *fsp, access_mask); } else if (local_flags & O_CREAT){ status = check_parent_access(conn, - smb_fname, + smb_fname->base_name, SEC_DIR_ADD_FILE, NULL); } else { @@ -2564,7 +2564,7 @@ static NTSTATUS mkdir_internal(connection_struct *conn, } status = check_parent_access(conn, - smb_dname, + smb_dname->base_name, access_mask, &parent_dir); if(!NT_STATUS_IS_OK(status)) { diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index 343b0b9..351fc49 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -585,6 +585,10 @@ NTSTATUS smb1_file_se_access_check(connection_struct *conn, const struct security_token *token, uint32_t access_desired, uint32_t *access_granted); +NTSTATUS check_parent_access(struct connection_struct *conn, + const char *path, + uint32_t access_mask, + char **pp_parent_dir); NTSTATUS fd_close(files_struct *fsp); void change_file_owner_to_parent(connection_struct *conn, const char *inherit_from_dir, -- Samba Shared Repository