From bef82d3180a6df98623664eaed8a7ae51159573b Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 29 Aug 2017 15:55:19 +0200 Subject: [PATCH 1/3] s3/smbd: remove lp_dos_filemode() check from permissions override We wanted to set the DOS attributes and failed with permission denied. Next thing we wanna do here is possible override the kernel access check given that the stored security descriptor has FILE_WRITE_ATTRIBUTES for the user. All this has nothing to do with what the "dos filemode" setting is for, so just remove it from this codepath. Bug: ... --- source3/smbd/dosmode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index 3181f2e78a9..72980679266 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -475,7 +475,7 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn, */ /* Check if we have write access. */ - if(!CAN_WRITE(conn) || !lp_dos_filemode(SNUM(conn))) + if(!CAN_WRITE(conn)) return NT_STATUS_ACCESS_DENIED; if (!can_write_to_file(conn, smb_fname)) { -- 2.13.5 From 09905d6ccb73a437d6f4d68072bfe3899d049a9b Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 29 Aug 2017 15:57:49 +0200 Subject: [PATCH 2/3] s3/smbd: setting DOS attributes requires FILE_WRITE_ATTRIBUTES can_write_to_file() tests for FILE_WRITE_DATA, but changing DOS attributes requires FILE_WRITE_ATTRIBUTES. Bug: ... --- source3/smbd/dosmode.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index 72980679266..420afd0697f 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -478,7 +478,9 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn, if(!CAN_WRITE(conn)) return NT_STATUS_ACCESS_DENIED; - if (!can_write_to_file(conn, smb_fname)) { + status = smbd_check_access_rights(conn, smb_fname, false, + FILE_WRITE_ATTRIBUTES); + if (!NT_STATUS_IS_OK(status)) { return NT_STATUS_ACCESS_DENIED; } -- 2.13.5 From ed9f9bd75794bb7cec074f5c4116f132998a837c Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 29 Aug 2017 16:08:06 +0200 Subject: [PATCH 3/3] s3/smbd: let get_file_handle_for_metadata() open the file read-only We're only using these filehandles in root override cases where we need a filehandle to call filehandle based syscalls (fchmod and fsetxattr). This fixes the case of requesting write access on a file where the user only has read permissions which fails. Bug: ... --- source3/smbd/dosmode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index 420afd0697f..38d92e8fa2f 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -1154,7 +1154,7 @@ static NTSTATUS get_file_handle_for_metadata(connection_struct *conn, NULL, /* req */ 0, /* root_dir_fid */ smb_fname_cp, /* fname */ - FILE_WRITE_DATA, /* access_mask */ + FILE_READ_DATA, /* access_mask */ (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */ FILE_SHARE_DELETE), FILE_OPEN, /* create_disposition*/ -- 2.13.5