The Samba-Bugzilla – Attachment 6339 Details for
Bug 8034
SEC_STD_DELETE is always granted to the owner of a file
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Backport Patches for v3-5-test
v3-5-acl-fix-06.patches.txt (text/plain), 3.61 KB, created by
Stefan Metzmacher
on 2011-03-22 16:31:38 UTC
(
hide
)
Description:
Backport Patches for v3-5-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2011-03-22 16:31:38 UTC
Size:
3.61 KB
patch
obsolete
>From e9aa7049f43714d3dadcfbb2aa5c5939121cba6e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 18 Mar 2011 16:45:08 +0100 >Subject: [PATCH 1/2] s3:smbd: access checks should not depend on share mode flags > >metze >(cherry picked from commit f0ec69b53544b7ff702f94d58b3d64c33eaabc7a) >(cherry picked from commit dca75c8e3ac23256d93269bdc13d1e67571bc9f2) >--- > source3/smbd/open.c | 1 - > 1 files changed, 0 insertions(+), 1 deletions(-) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index bd748f9..0d585cf 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -2944,7 +2944,6 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, > > if (lp_acl_check_permissions(SNUM(conn)) > && (create_disposition != FILE_CREATE) >- && (share_access & FILE_SHARE_DELETE) > && (access_mask & DELETE_ACCESS) > && (!(can_delete_file_in_directory(conn, smb_fname) || > can_access_file_acl(conn, smb_fname, DELETE_ACCESS)))) { >-- >1.7.0.4 > > >From 702b45f3b7a73ca8a68f468834fe38b2bb6a09c8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 21 Mar 2011 14:15:32 +0100 >Subject: [PATCH 2/2] s3:util_seaccess: make sure that we don't grant SEC_STD_DELETE to the owner by default > >In the file server SEC_STD_DELETE is granted on the file/directory >or by FILE_DELETE_CHILD on the parent directory. > >metze >(similar to commit c7d10179108a3ae8af15c838042294f3fdced03c) >--- > source3/lib/util_seaccess.c | 24 +++++++++++------------- > 1 files changed, 11 insertions(+), 13 deletions(-) > >diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c >index 369f684..058bf32 100644 >--- a/source3/lib/util_seaccess.c >+++ b/source3/lib/util_seaccess.c >@@ -112,9 +112,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, > unsigned i; > > if (is_sid_in_token(token, sd->owner_sid)) { >- granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE; >- } else if (user_has_privileges(token, &se_restore)) { >- granted |= SEC_STD_DELETE; >+ granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL; > } > > if (sd->dacl == NULL) { >@@ -171,7 +169,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, > access_desired |= access_check_max_allowed(sd, token); > access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; > *access_granted = access_desired; >- bits_remaining = access_desired & ~SEC_STD_DELETE; >+ bits_remaining = access_desired; > > DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n", > orig_access_desired, >@@ -187,22 +185,22 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, > } > } > >- /* a NULL dacl allows access */ >- if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { >- *access_granted = access_desired; >- return NT_STATUS_OK; >- } >- >- /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */ >- if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) && >+ /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */ >+ if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) && > is_sid_in_token(token, sd->owner_sid)) { >- bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE); >+ bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); > } > if ((bits_remaining & SEC_STD_DELETE) && > user_has_privileges(token, &se_restore)) { > bits_remaining &= ~SEC_STD_DELETE; > } > >+ /* a NULL dacl allows access */ >+ if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { >+ *access_granted = access_desired; >+ return NT_STATUS_OK; >+ } >+ > if (sd->dacl == NULL) { > goto done; > } >-- >1.7.0.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6339">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 8034
: 6339