The Samba-Bugzilla – Attachment 5903 Details for
Bug 7581
Users in "admin users" in smb.conf file are unable to read/write all files when the acl_xattr vfs module is used
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix for 3.5.x.
0001-Fix-bug-7581-Users-in-admin-users-in-smb.conf-file-a.patch (text/plain), 4.25 KB, created by
Jeremy Allison
on 2010-08-12 19:04:34 UTC
(
hide
)
Description:
Fix for 3.5.x.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2010-08-12 19:04:34 UTC
Size:
4.25 KB
patch
obsolete
>From 4b5df4c87c1b95c971d4c08a65ba4afa46cf59fb Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 12 Aug 2010 17:02:30 -0700 >Subject: [PATCH] Fix bug 7581 - Users in "admin users" in smb.conf file are unable to read/write all files when the acl_xattr vfs module is used. > >Correctly check admin users in smb1_file_se_access_check(). > >Jeremy. >--- > source3/include/proto.h | 3 ++- > source3/modules/vfs_acl_common.c | 6 ++++-- > source3/smbd/open.c | 31 +++++++++++++++++-------------- > 3 files changed, 23 insertions(+), 17 deletions(-) > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 9da40b0..4d3fb63 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -6583,7 +6583,8 @@ void reply_nttranss(struct smb_request *req); > > /* The following definitions come from smbd/open.c */ > >-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, >+NTSTATUS smb1_file_se_access_check(connection_struct *conn, >+ const struct security_descriptor *sd, > const NT_USER_TOKEN *token, > uint32_t access_desired, > uint32_t *access_granted); >diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c >index 10781c4..abc4a62 100644 >--- a/source3/modules/vfs_acl_common.c >+++ b/source3/modules/vfs_acl_common.c >@@ -471,7 +471,8 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle, > nt_errstr(status) )); > return status; > } >- status = smb1_file_se_access_check(parent_desc, >+ status = smb1_file_se_access_check(handle->conn, >+ parent_desc, > handle->conn->server_info->ptok, > access_mask, > &access_granted); >@@ -535,7 +536,8 @@ static int open_acl_common(vfs_handle_struct *handle, > &pdesc); > if (NT_STATUS_IS_OK(status)) { > /* See if we can access it. */ >- status = smb1_file_se_access_check(pdesc, >+ status = smb1_file_se_access_check(handle->conn, >+ pdesc, > handle->conn->server_info->ptok, > fsp->access_mask, > &access_granted); >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index 120de0f..1bf7e23 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -49,11 +49,23 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, > SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES. > ****************************************************************************/ > >-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, >+NTSTATUS smb1_file_se_access_check(connection_struct *conn, >+ const struct security_descriptor *sd, > const NT_USER_TOKEN *token, > uint32_t access_desired, > uint32_t *access_granted) > { >+ *access_granted = 0; >+ >+ if (conn->server_info->utok.uid == 0 || conn->admin_user) { >+ /* I'm sorry sir, I didn't know you were root... */ >+ *access_granted = access_desired; >+ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { >+ *access_granted |= FILE_GENERIC_ALL; >+ } >+ return NT_STATUS_OK; >+ } >+ > return se_access_check(sd, > token, > (access_desired & ~FILE_READ_ATTRIBUTES), >@@ -73,17 +85,6 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn, > NTSTATUS status; > struct security_descriptor *sd = NULL; > >- *access_granted = 0; >- >- if (conn->server_info->utok.uid == 0 || conn->admin_user) { >- /* I'm sorry sir, I didn't know you were root... */ >- *access_granted = access_mask; >- if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { >- *access_granted |= FILE_GENERIC_ALL; >- } >- return NT_STATUS_OK; >- } >- > status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, > (OWNER_SECURITY_INFORMATION | > GROUP_SECURITY_INFORMATION | >@@ -97,7 +98,8 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn, > return status; > } > >- status = smb1_file_se_access_check(sd, >+ status = smb1_file_se_access_check(conn, >+ sd, > conn->server_info->ptok, > access_mask, > access_granted); >@@ -1412,7 +1414,8 @@ static NTSTATUS calculate_access_mask(connection_struct *conn, > return NT_STATUS_ACCESS_DENIED; > } > >- status = smb1_file_se_access_check(sd, >+ status = smb1_file_se_access_check(conn, >+ sd, > conn->server_info->ptok, > access_mask, > &access_granted); >-- >1.7.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5903">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 7581
: 5903