From 6f270e6a9bb2a3223d159484b112f3785460a5e3 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 4 Oct 2017 15:45:54 +0200 Subject: [PATCH 1/3] s3/smbd/posix_acls: return correct status in try_chown Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933 --- source3/smbd/posix_acls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 4748fc01aa1..c2989a2d197 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3671,7 +3671,7 @@ NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid) a local SID on the users workstation */ if (uid != get_current_uid(fsp->conn)) { - return NT_STATUS_ACCESS_DENIED; + return NT_STATUS_INVALID_OWNER; } become_root(); -- 2.13.5 From d4fed153134e148a900f09b7cbe8d7fd690540a8 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 4 Oct 2017 12:51:29 +0200 Subject: [PATCH 2/3] vfs_acl_common: factor out a variable declaration Just some README.coding refactoring, no change in behaviour. Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933 Signed-off-by: Ralph Boehme --- source3/modules/vfs_acl_common.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index 75e72869e86..56c3be68715 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -807,8 +807,9 @@ static NTSTATUS set_underlying_acl(vfs_handle_struct *handle, files_struct *fsp, uint32_t security_info_sent, bool chown_needed) { - NTSTATUS status = - SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); + NTSTATUS status; + + status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { return status; } -- 2.13.5 From 462cbb74948190617a7543d93d324477a1297675 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 4 Oct 2017 22:27:24 +0200 Subject: [PATCH 3/3] vfs_acl_common: fix take ownership vs give ownership Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933 --- source3/modules/vfs_acl_common.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index 56c3be68715..aa623864910 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -808,6 +808,7 @@ static NTSTATUS set_underlying_acl(vfs_handle_struct *handle, files_struct *fsp, bool chown_needed) { NTSTATUS status; + const struct security_token *token = NULL; status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { @@ -822,6 +823,11 @@ static NTSTATUS set_underlying_acl(vfs_handle_struct *handle, files_struct *fsp, return NT_STATUS_ACCESS_DENIED; } + token = get_current_nttok(fsp->conn); + if (!security_token_is_sid(token, psd->owner_sid)) { + return NT_STATUS_INVALID_OWNER; + } + DBG_DEBUG("overriding chown on file %s for sid %s\n", fsp_str_dbg(fsp), sid_string_tos(psd->owner_sid)); -- 2.13.5