From 4b5df4c87c1b95c971d4c08a65ba4afa46cf59fb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 12 Aug 2010 17:02:30 -0700 Subject: [PATCH] Fix bug 7581 - Users in "admin users" in smb.conf file are unable to read/write all files when the acl_xattr vfs module is used. Correctly check admin users in smb1_file_se_access_check(). Jeremy. --- source3/include/proto.h | 3 ++- source3/modules/vfs_acl_common.c | 6 ++++-- source3/smbd/open.c | 31 +++++++++++++++++-------------- 3 files changed, 23 insertions(+), 17 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index 9da40b0..4d3fb63 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -6583,7 +6583,8 @@ void reply_nttranss(struct smb_request *req); /* The following definitions come from smbd/open.c */ -NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, +NTSTATUS smb1_file_se_access_check(connection_struct *conn, + const struct security_descriptor *sd, const NT_USER_TOKEN *token, uint32_t access_desired, uint32_t *access_granted); diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index 10781c4..abc4a62 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -471,7 +471,8 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle, nt_errstr(status) )); return status; } - status = smb1_file_se_access_check(parent_desc, + status = smb1_file_se_access_check(handle->conn, + parent_desc, handle->conn->server_info->ptok, access_mask, &access_granted); @@ -535,7 +536,8 @@ static int open_acl_common(vfs_handle_struct *handle, &pdesc); if (NT_STATUS_IS_OK(status)) { /* See if we can access it. */ - status = smb1_file_se_access_check(pdesc, + status = smb1_file_se_access_check(handle->conn, + pdesc, handle->conn->server_info->ptok, fsp->access_mask, &access_granted); diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 120de0f..1bf7e23 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -49,11 +49,23 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES. ****************************************************************************/ -NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, +NTSTATUS smb1_file_se_access_check(connection_struct *conn, + const struct security_descriptor *sd, const NT_USER_TOKEN *token, uint32_t access_desired, uint32_t *access_granted) { + *access_granted = 0; + + if (conn->server_info->utok.uid == 0 || conn->admin_user) { + /* I'm sorry sir, I didn't know you were root... */ + *access_granted = access_desired; + if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { + *access_granted |= FILE_GENERIC_ALL; + } + return NT_STATUS_OK; + } + return se_access_check(sd, token, (access_desired & ~FILE_READ_ATTRIBUTES), @@ -73,17 +85,6 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn, NTSTATUS status; struct security_descriptor *sd = NULL; - *access_granted = 0; - - if (conn->server_info->utok.uid == 0 || conn->admin_user) { - /* I'm sorry sir, I didn't know you were root... */ - *access_granted = access_mask; - if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { - *access_granted |= FILE_GENERIC_ALL; - } - return NT_STATUS_OK; - } - status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | @@ -97,7 +98,8 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn, return status; } - status = smb1_file_se_access_check(sd, + status = smb1_file_se_access_check(conn, + sd, conn->server_info->ptok, access_mask, access_granted); @@ -1412,7 +1414,8 @@ static NTSTATUS calculate_access_mask(connection_struct *conn, return NT_STATUS_ACCESS_DENIED; } - status = smb1_file_se_access_check(sd, + status = smb1_file_se_access_check(conn, + sd, conn->server_info->ptok, access_mask, &access_granted); -- 1.7.1