From 85f7209614a9665658f1730855358f215cf37f60 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 4 Apr 2012 14:53:10 -0700 Subject: [PATCH 1/6] First part of fix for bug 8837 - smbd crashes when deleting directory and veto files are enabled. Add some const to the sec_ctx code. (cherry picked from commit f042de2f346c98a852957cdbb09a7f8ac871b69c) --- source3/smbd/proto.h | 2 +- source3/smbd/sec_ctx.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index aadad4b..0d31a1c 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -953,7 +953,7 @@ void server_encryption_shutdown(void); bool unix_token_equal(const struct security_unix_token *t1, const struct security_unix_token *t2); bool push_sec_ctx(void); -void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, struct security_token *token); +void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, const struct security_token *token); void set_root_sec_ctx(void); bool pop_sec_ctx(void); void init_sec_ctx(void); diff --git a/source3/smbd/sec_ctx.c b/source3/smbd/sec_ctx.c index f8c8847..14e18a8 100644 --- a/source3/smbd/sec_ctx.c +++ b/source3/smbd/sec_ctx.c @@ -304,7 +304,7 @@ static void set_unix_security_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *grou Set the current security context to a given user. ****************************************************************************/ -void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, struct security_token *token) +void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, const struct security_token *token) { struct sec_ctx *ctx_p = &sec_ctx_stack[sec_ctx_stack_ndx]; -- 1.7.7.3 From 465b170730248983c38db7f2ecbc3370e41cfd78 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 4 Apr 2012 14:57:12 -0700 Subject: [PATCH 2/6] Third part of fix for bug #8837 - smbd crashes when deleting directory and veto files are enabled. Use correct check to see if veto files has been enabled. Even if not set lp_veto_files() returns a valid string address (to a '\0' character). Autobuild-User: Jeremy Allison Autobuild-Date: Thu Apr 5 01:36:04 CEST 2012 on sn-devel-104 (cherry picked from commit 704ea4729b499ae2716cfe6ad5d952bcb1251a3b) --- source3/smbd/close.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/source3/smbd/close.c b/source3/smbd/close.c index a431a5d..a307f70 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -817,7 +817,7 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp) return NT_STATUS_OK; } - if(((errno == ENOTEMPTY)||(errno == EEXIST)) && lp_veto_files(SNUM(conn))) { + if(((errno == ENOTEMPTY)||(errno == EEXIST)) && *lp_veto_files(SNUM(conn))) { /* * Check to see if the only thing in this directory are * vetoed files/directories. If so then delete them and -- 1.7.7.3 From eee35a7ccaf5f274a89596afc67d73ef2bd17969 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 6 Apr 2012 14:53:48 -0700 Subject: [PATCH 3/6] Fix the talloc heirarchy when adding the unix delete token. --- source3/locking/locking.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/source3/locking/locking.c b/source3/locking/locking.c index ddd469d..02622d6 100644 --- a/source3/locking/locking.c +++ b/source3/locking/locking.c @@ -1518,7 +1518,7 @@ static bool add_delete_on_close_token(struct share_mode_lock *lck, } dtl->name_hash = name_hash; - dtl->delete_token = copy_unix_token(lck, tok); + dtl->delete_token = copy_unix_token(dtl, tok); if (dtl->delete_token == NULL) { TALLOC_FREE(dtl); return false; -- 1.7.7.3 From a5d480f7be5a60fd18f8059b4d475f34021009f1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 6 Apr 2012 15:39:03 -0700 Subject: [PATCH 4/6] The delete tokens are unique to each name hash representing a pathname, if we don't correctly return here we'll add duplicate tokens for a given pasname hash. --- source3/locking/locking.c | 13 +++++++------ 1 files changed, 7 insertions(+), 6 deletions(-) diff --git a/source3/locking/locking.c b/source3/locking/locking.c index 02622d6..8587714 100644 --- a/source3/locking/locking.c +++ b/source3/locking/locking.c @@ -1560,13 +1560,14 @@ void set_delete_on_close_lck(files_struct *fsp, /* Delete this entry. */ DLIST_REMOVE(lck->delete_tokens, dtl); TALLOC_FREE(dtl); - return; + } else { + /* Replace this token with the + given tok. */ + TALLOC_FREE(dtl->delete_token); + dtl->delete_token = copy_unix_token(dtl, tok); + SMB_ASSERT(dtl->delete_token != NULL); } - /* Replace this token with the - given tok. */ - TALLOC_FREE(dtl->delete_token); - dtl->delete_token = copy_unix_token(dtl, tok); - SMB_ASSERT(dtl->delete_token != NULL); + return; } } -- 1.7.7.3 From a3729b866db25bbbead8c12427dd2e5e1b479f27 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Apr 2012 11:47:27 -0700 Subject: [PATCH 5/6] Convert parse_delete_tokens_list() and unparse_share_modes() to use ndr encoding for the struct security_unix_token. We can do this as libsmb_share_modes never looks inside the delete tokens list, only implicitly gets the length. --- librpc/idl/security.idl | 2 +- source3/locking/locking.c | 120 +++++++++++++++----------------------------- 2 files changed, 42 insertions(+), 80 deletions(-) diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 3378367..b58e099 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -578,7 +578,7 @@ interface security } security_token; /* This is not yet sent over the network, but is simply defined in IDL */ - typedef [public] struct { + typedef [public,gensize] struct { uid_t uid; uid_t gid; uint32 ngroups; diff --git a/source3/locking/locking.c b/source3/locking/locking.c index 8587714..e04de79 100644 --- a/source3/locking/locking.c +++ b/source3/locking/locking.c @@ -44,6 +44,7 @@ #include "serverid.h" #include "messages.h" #include "util_tdb.h" +#include "../librpc/gen_ndr/ndr_security.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_LOCKING @@ -551,33 +552,10 @@ static int parse_delete_tokens_list(struct share_mode_lock *lck, lck->delete_tokens = NULL; for (i = 0; i < pdata->u.s.num_delete_token_entries; i++) { - uint32_t token_len; + DATA_BLOB blob; + enum ndr_err_code ndr_err; struct delete_token_list *pdtl; - - if (end_ptr - p < (sizeof(uint32_t) + sizeof(uint32_t) + - sizeof(uid_t) + sizeof(gid_t))) { - DEBUG(0,("parse_delete_tokens_list: " - "corrupt token list (%u)", - (unsigned int)(end_ptr - p))); - smb_panic("corrupt token list"); - return -1; - } - - memcpy(&token_len, p, sizeof(token_len)); - delete_tokens_size += token_len; - - if (p + token_len > end_ptr || token_len < sizeof(token_len) + - sizeof(pdtl->name_hash) + - sizeof(uid_t) + - sizeof(gid_t)) { - DEBUG(0,("parse_delete_tokens_list: " - "invalid token length (%u)\n", - (unsigned int)token_len )); - smb_panic("invalid token length"); - return -1; - } - - p += sizeof(token_len); + size_t token_len = 0; pdtl = TALLOC_ZERO_P(lck, struct delete_token_list); if (pdtl == NULL) { @@ -587,6 +565,7 @@ static int parse_delete_tokens_list(struct share_mode_lock *lck, /* Copy out the name_hash. */ memcpy(&pdtl->name_hash, p, sizeof(pdtl->name_hash)); p += sizeof(pdtl->name_hash); + delete_tokens_size += sizeof(pdtl->name_hash); pdtl->delete_token = TALLOC_ZERO_P(pdtl, struct security_unix_token); if (pdtl->delete_token == NULL) { @@ -594,40 +573,29 @@ static int parse_delete_tokens_list(struct share_mode_lock *lck, return -1; } - /* Copy out the uid and gid. */ - memcpy(&pdtl->delete_token->uid, p, sizeof(uid_t)); - p += sizeof(uid_t); - memcpy(&pdtl->delete_token->gid, p, sizeof(gid_t)); - p += sizeof(gid_t); - - token_len -= (sizeof(token_len) + sizeof(pdtl->name_hash) + - sizeof(uid_t) + sizeof(gid_t)); - - /* Any supplementary groups ? */ - if (token_len) { - int j; - - if (token_len % sizeof(gid_t) != 0) { - DEBUG(0,("parse_delete_tokens_list: " - "corrupt group list (%u)", - (unsigned int)(token_len % sizeof(gid_t)) )); - smb_panic("corrupt group list"); - return -1; - } + if (p >= end_ptr) { + DEBUG(0,("parse_delete_tokens_list: corrupt data")); + return -1; + } - pdtl->delete_token->ngroups = token_len / sizeof(gid_t); - pdtl->delete_token->groups = TALLOC_ARRAY(pdtl->delete_token, gid_t, - pdtl->delete_token->ngroups); - if (pdtl->delete_token->groups == NULL) { - DEBUG(0,("parse_delete_tokens_list: talloc failed")); - return -1; - } + blob.data = p; + blob.length = end_ptr - p; - for (j = 0; j < pdtl->delete_token->ngroups; j++) { - memcpy(&pdtl->delete_token->groups[j], p, sizeof(gid_t)); - p += sizeof(gid_t); - } + ndr_err = ndr_pull_struct_blob(&blob, + pdtl, + pdtl->delete_token, + (ndr_pull_flags_fn_t)ndr_pull_security_unix_token); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(1, ("parse_delete_tokens_list: " + "ndr_pull_share_mode_data failed\n")); + return -1; } + + token_len = ndr_size_security_unix_token(pdtl->delete_token, 0); + + p += token_len; + delete_tokens_size += token_len; + /* Add to the list. */ DLIST_ADD(lck->delete_tokens, pdtl); } @@ -769,11 +737,8 @@ static TDB_DATA unparse_share_modes(const struct share_mode_lock *lck) for (pdtl = lck->delete_tokens; pdtl; pdtl = pdtl->next) { num_delete_token_entries++; - delete_tokens_size += (sizeof(uint32_t) + - sizeof(uint32_t) + - sizeof(uid_t) + - sizeof(gid_t) + - pdtl->delete_token->ngroups*sizeof(gid_t)); + delete_tokens_size += sizeof(uint32_t) + + ndr_size_security_unix_token(pdtl->delete_token, 0); } result.dsize = sizeof(*data) + @@ -813,30 +778,27 @@ static TDB_DATA unparse_share_modes(const struct share_mode_lock *lck) /* Store any delete on close tokens. */ for (pdtl = lck->delete_tokens; pdtl; pdtl = pdtl->next) { struct security_unix_token *pdt = pdtl->delete_token; - uint32_t token_size = sizeof(uint32_t) + - sizeof(uint32_t) + - sizeof(uid_t) + - sizeof(gid_t) + - (pdt->ngroups * sizeof(gid_t)); uint8_t *p = result.dptr + offset; - - memcpy(p, &token_size, sizeof(uint32_t)); - p += sizeof(uint32_t); + DATA_BLOB blob; + enum ndr_err_code ndr_err; memcpy(p, &pdtl->name_hash, sizeof(uint32_t)); p += sizeof(uint32_t); + offset += sizeof(uint32_t); - memcpy(p, &pdt->uid, sizeof(uid_t)); - p += sizeof(uid_t); + ndr_err = ndr_push_struct_blob(&blob, + talloc_tos(), + pdt, + (ndr_push_flags_fn_t)ndr_push_security_unix_token); - memcpy(p, &pdt->gid, sizeof(gid_t)); - p += sizeof(gid_t); - - for (i = 0; i < pdt->ngroups; i++) { - memcpy(p, &pdt->groups[i], sizeof(gid_t)); - p += sizeof(gid_t); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + smb_panic("ndr_push_security_unix_token failed"); } - offset += token_size; + + /* We know we have space here as we counted above. */ + memcpy(p, blob.data, blob.length); + offset += blob.length; + TALLOC_FREE(blob.data); } safe_strcpy((char *)result.dptr + offset, lck->servicepath, -- 1.7.7.3 From 63a09af9f29dbfc44670ef44c915200d063bdf29 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Apr 2012 12:44:05 -0700 Subject: [PATCH 6/6] Final back port of fix for bug #8837 - smbd crashes when deleting directory and veto files are enabled. Use ndr encoding to add the NT security token into the stored data when delete on close is set. --- librpc/idl/security.idl | 2 +- source3/include/smb.h | 1 + source3/locking/locking.c | 51 +++++++++++++++++++++++++++++++++++++------- source3/locking/proto.h | 10 +++++++- source3/smbd/close.c | 23 +++++++++++++------- source3/smbd/reply.c | 8 +++++- source3/smbd/trans2.c | 1 + 7 files changed, 75 insertions(+), 21 deletions(-) diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index b58e099..696d5a5 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -570,7 +570,7 @@ interface security } sec_desc_buf; /* This is not yet sent over the network, but is simply defined in IDL */ - typedef [public] struct { + typedef [public,gensize] struct { uint32 num_sids; [size_is(num_sids)] dom_sid sids[*]; se_privilege privilege_mask; diff --git a/source3/include/smb.h b/source3/include/smb.h index 549ebb2..873657a 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -637,6 +637,7 @@ struct delete_token_list { struct delete_token_list *next, *prev; uint32_t name_hash; struct security_unix_token *delete_token; + struct security_token *delete_nt_token; }; struct share_mode_lock { diff --git a/source3/locking/locking.c b/source3/locking/locking.c index e04de79..f510ee1 100644 --- a/source3/locking/locking.c +++ b/source3/locking/locking.c @@ -1470,6 +1470,7 @@ static struct security_unix_token *copy_unix_token(TALLOC_CTX *ctx, const struct static bool add_delete_on_close_token(struct share_mode_lock *lck, uint32_t name_hash, + const struct security_token *nt_tok, const struct security_unix_token *tok) { struct delete_token_list *dtl; @@ -1485,6 +1486,11 @@ static bool add_delete_on_close_token(struct share_mode_lock *lck, TALLOC_FREE(dtl); return false; } + dtl->delete_nt_token = dup_nt_token(dtl, nt_tok); + if (dtl->delete_nt_token == NULL) { + TALLOC_FREE(dtl); + return false; + } DLIST_ADD(lck->delete_tokens, dtl); lck->modified = true; return true; @@ -1504,14 +1510,17 @@ static bool add_delete_on_close_token(struct share_mode_lock *lck, void set_delete_on_close_lck(files_struct *fsp, struct share_mode_lock *lck, bool delete_on_close, + const struct security_token *nt_tok, const struct security_unix_token *tok) { struct delete_token_list *dtl; bool ret; if (delete_on_close) { + SMB_ASSERT(nt_tok != NULL); SMB_ASSERT(tok != NULL); } else { + SMB_ASSERT(nt_tok == NULL); SMB_ASSERT(tok == NULL); } @@ -1528,6 +1537,9 @@ void set_delete_on_close_lck(files_struct *fsp, TALLOC_FREE(dtl->delete_token); dtl->delete_token = copy_unix_token(dtl, tok); SMB_ASSERT(dtl->delete_token != NULL); + TALLOC_FREE(dtl->delete_nt_token); + dtl->delete_nt_token = dup_nt_token(dtl, nt_tok); + SMB_ASSERT(dtl->delete_nt_token != NULL); } return; } @@ -1538,11 +1550,13 @@ void set_delete_on_close_lck(files_struct *fsp, return; } - ret = add_delete_on_close_token(lck, fsp->name_hash, tok); + ret = add_delete_on_close_token(lck, fsp->name_hash, nt_tok, tok); SMB_ASSERT(ret); } -bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct security_unix_token *tok) +bool set_delete_on_close(files_struct *fsp, bool delete_on_close, + const struct security_token *nt_tok, + const struct security_unix_token *tok) { struct share_mode_lock *lck; @@ -1557,8 +1571,15 @@ bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct s return False; } - set_delete_on_close_lck(fsp, lck, delete_on_close, - delete_on_close ? tok : NULL); + if (delete_on_close) { + set_delete_on_close_lck(fsp, lck, true, + nt_tok, + tok); + } else { + set_delete_on_close_lck(fsp, lck, false, + NULL, + NULL); + } if (fsp->is_directory) { SMB_ASSERT(!is_ntfs_stream_smb_fname(fsp->fsp_name)); @@ -1573,7 +1594,15 @@ bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct s return True; } -const struct security_unix_token *get_delete_on_close_token(struct share_mode_lock *lck, uint32_t name_hash) +/**************************************************************************** + Return the NT token and UNIX token if there's a match. Return true if + found, false if not. +****************************************************************************/ + +bool get_delete_on_close_token(struct share_mode_lock *lck, + uint32_t name_hash, + const struct security_token **pp_nt_tok, + const struct security_unix_token **pp_tok) { struct delete_token_list *dtl; @@ -1584,15 +1613,21 @@ const struct security_unix_token *get_delete_on_close_token(struct share_mode_lo DEBUG(10,("get_delete_on_close_token: dtl->name_hash = 0x%x\n", (unsigned int)dtl->name_hash )); if (dtl->name_hash == name_hash) { - return dtl->delete_token; + if (pp_nt_tok) { + *pp_nt_tok = dtl->delete_nt_token; + } + if (pp_tok) { + *pp_tok = dtl->delete_token; + } + return true; } } - return NULL; + return false; } bool is_delete_on_close_set(struct share_mode_lock *lck, uint32_t name_hash) { - return (get_delete_on_close_token(lck, name_hash) != NULL); + return get_delete_on_close_token(lck, name_hash, NULL, NULL); } bool set_sticky_write_time(struct file_id fileid, struct timespec write_time) diff --git a/source3/locking/proto.h b/source3/locking/proto.h index b7c8990..7745da5 100644 --- a/source3/locking/proto.h +++ b/source3/locking/proto.h @@ -173,12 +173,18 @@ void del_deferred_open_entry(struct share_mode_lock *lck, uint64_t mid, bool remove_share_oplock(struct share_mode_lock *lck, files_struct *fsp); bool downgrade_share_oplock(struct share_mode_lock *lck, files_struct *fsp); NTSTATUS can_set_delete_on_close(files_struct *fsp, uint32 dosmode); -const struct security_unix_token *get_delete_on_close_token(struct share_mode_lock *lck, uint32_t name_hash); +bool get_delete_on_close_token(struct share_mode_lock *lck, + uint32_t name_hash, + const struct security_token **pp_nt_tok, + const struct security_unix_token **pp_tok); void set_delete_on_close_lck(files_struct *fsp, struct share_mode_lock *lck, bool delete_on_close, + const struct security_token *nt_tok, + const struct security_unix_token *tok); +bool set_delete_on_close(files_struct *fsp, bool delete_on_close, + const struct security_token *nt_tok, const struct security_unix_token *tok); -bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct security_unix_token *tok); bool is_delete_on_close_set(struct share_mode_lock *lck, uint32_t name_hash); bool set_sticky_write_time(struct file_id fileid, struct timespec write_time); bool set_write_time(struct file_id fileid, struct timespec write_time); diff --git a/source3/smbd/close.c b/source3/smbd/close.c index a307f70..36cec1a 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -280,6 +280,8 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, NTSTATUS tmp_status; struct file_id id; const struct security_unix_token *del_token = NULL; + const struct security_token *del_nt_token = NULL; + bool got_tokens = false; /* Ensure any pending write time updates are done. */ if (fsp->update_write_time_event) { @@ -345,7 +347,9 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, became_user = True; } fsp->delete_on_close = true; - set_delete_on_close_lck(fsp, lck, True, get_current_utok(conn)); + set_delete_on_close_lck(fsp, lck, True, + get_current_nttok(conn), + get_current_utok(conn)); if (became_user) { unbecome_user(); } @@ -398,8 +402,9 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, */ fsp->update_write_time_on_close = false; - del_token = get_delete_on_close_token(lck, fsp->name_hash); - SMB_ASSERT(del_token != NULL); + got_tokens = get_delete_on_close_token(lck, fsp->name_hash, + &del_nt_token, &del_token); + SMB_ASSERT(got_tokens); if (!unix_token_equal(del_token, get_current_utok(conn))) { /* Become the user who requested the delete. */ @@ -418,7 +423,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, del_token->gid, del_token->ngroups, del_token->groups, - NULL); + del_nt_token); changed_user = true; } @@ -491,7 +496,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, */ fsp->delete_on_close = false; - set_delete_on_close_lck(fsp, lck, false, NULL); + set_delete_on_close_lck(fsp, lck, false, NULL, NULL); done: @@ -962,6 +967,7 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp, bool delete_dir = False; NTSTATUS status = NT_STATUS_OK; NTSTATUS status1 = NT_STATUS_OK; + const struct security_token *del_nt_token = NULL; const struct security_unix_token *del_token = NULL; /* @@ -998,6 +1004,7 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp, send_stat_cache_delete_message(fsp->conn->sconn->msg_ctx, fsp->fsp_name->base_name); set_delete_on_close_lck(fsp, lck, true, + get_current_nttok(fsp->conn), get_current_utok(fsp->conn)); fsp->delete_on_close = true; if (became_user) { @@ -1005,8 +1012,8 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp, } } - del_token = get_delete_on_close_token(lck, fsp->name_hash); - delete_dir = (del_token != NULL); + delete_dir = get_delete_on_close_token(lck, fsp->name_hash, + &del_nt_token, &del_token); if (delete_dir) { int i; @@ -1038,7 +1045,7 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp, del_token->gid, del_token->ngroups, del_token->groups, - NULL); + del_nt_token); TALLOC_FREE(lck); diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index c0e8a98..ac471aa 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -2541,7 +2541,9 @@ static NTSTATUS do_unlink(connection_struct *conn, } /* The set is across all open files on this dev/inode pair. */ - if (!set_delete_on_close(fsp, True, &conn->session_info->utok)) { + if (!set_delete_on_close(fsp, true, + conn->session_info->security_token, + &conn->session_info->utok)) { close_file(req, fsp, NORMAL_CLOSE); return NT_STATUS_ACCESS_DENIED; } @@ -5650,7 +5652,9 @@ void reply_rmdir(struct smb_request *req) goto out; } - if (!set_delete_on_close(fsp, true, &conn->session_info->utok)) { + if (!set_delete_on_close(fsp, true, + conn->session_info->security_token, + &conn->session_info->utok)) { close_file(req, fsp, ERROR_CLOSE); reply_nterror(req, NT_STATUS_ACCESS_DENIED); goto out; diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 6f933dd..c7cf1a2 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -5827,6 +5827,7 @@ static NTSTATUS smb_set_file_disposition_info(connection_struct *conn, /* The set is across all open files on this dev/inode pair. */ if (!set_delete_on_close(fsp, delete_on_close, + conn->session_info->security_token, &conn->session_info->utok)) { return NT_STATUS_ACCESS_DENIED; } -- 1.7.7.3