From e3723ddd3d1169839da93b581fbbd7f00761bea0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 23 Dec 2015 10:25:09 -0800
Subject: [PATCH] s3: smbd: Ensure we can't get or set Windows ACLs on
 symlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/posix_acls.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 5e39370..1f83d78 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3535,6 +3535,13 @@ NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name,
 		return map_nt_error_from_unix(errno);
 	}
 
+	/* No Windows ACLs allowed on symlinks. */
+	if (S_ISLNK(smb_fname.st.st_ex_mode)) {
+		DBG_INFO("No ACL on symlink %s\n", name);
+		TALLOC_FREE(frame);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	/* Get the ACL from the path. */
 	posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name,
 					     SMB_ACL_TYPE_ACCESS, frame);
@@ -3690,6 +3697,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
 		return status;
 	}
 
+	/* No Windows ACLs allowed on symlinks. */
+	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+		DBG_INFO("No ACL on symlink %s\n", fsp_str_dbg(fsp));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	/* Save the original element we check against. */
 	orig_mode = fsp->fsp_name->st.st_ex_mode;
 
-- 
2.5.0