The branch, master has been updated via 0d4cb5a641e smbd: split out smbd_check_access_rights_fname and call it before SMB_VFS_FGET_NT_ACL from cf6cc948e04 s3:profile: make use of tevent_cached_getpid() in performance critical code
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 0d4cb5a641e1fea2d369bdc66470a580321366c2 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jul 13 11:15:39 2022 +0000 smbd: split out smbd_check_access_rights_fname and call it before SMB_VFS_FGET_NT_ACL commit 8e3798dd22276bc1ac8e96004d0e5e974240a7b9 actually came with a change in behavior..., as SMB_VFS_GET_NT_ACL_AT() (at the time) and now SMB_VFS_FGET_NT_ACL() is always called even if it's not needed. E.g. access by root. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Tue Jul 26 00:31:29 UTC 2022 on sn-devel-184 ----------------------------------------------------------------------- Summary of changes: source3/smbd/open.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 3a8c0bf9c48..ee61137ab9d 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -95,18 +95,13 @@ static bool parent_override_delete(connection_struct *conn, Check if we have open rights. ****************************************************************************/ -static NTSTATUS smbd_check_access_rights_sd( +static NTSTATUS smbd_check_access_rights_fname( struct connection_struct *conn, - struct files_struct *dirfsp, const struct smb_filename *smb_fname, - struct security_descriptor *sd, bool use_privs, uint32_t access_mask) { uint32_t rejected_share_access; - uint32_t rejected_mask = access_mask; - uint32_t do_not_check_mask = 0; - NTSTATUS status; rejected_share_access = access_mask & ~(conn->share_access); @@ -147,6 +142,21 @@ static NTSTATUS smbd_check_access_rights_sd( return NT_STATUS_OK; } + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +static NTSTATUS smbd_check_access_rights_sd( + struct connection_struct *conn, + struct files_struct *dirfsp, + const struct smb_filename *smb_fname, + struct security_descriptor *sd, + bool use_privs, + uint32_t access_mask) +{ + uint32_t rejected_mask = access_mask; + uint32_t do_not_check_mask = 0; + NTSTATUS status; + if (sd == NULL) { goto access_denied; } @@ -278,6 +288,14 @@ NTSTATUS smbd_check_access_rights_fsp(struct files_struct *dirfsp, return NT_STATUS_OK; } + status = smbd_check_access_rights_fname(fsp->conn, + fsp->fsp_name, + use_privs, + access_mask); + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + return status; + } + status = SMB_VFS_FGET_NT_ACL(fsp, (SECINFO_OWNER | SECINFO_GROUP | -- Samba Shared Repository