From 6ec99f225e5579a4fbf7faa39856be3898228a9b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 6 Oct 2011 15:40:59 -0700 Subject: [PATCH] Fix bug #8458 - IE9 on Windows 7 cannot download files to samba 3.5.11 share Handle the SECINFO_LABEL flag in the same way as Win2k3. --- librpc/gen_ndr/ndr_security.c | 1 + librpc/gen_ndr/security.h | 1 + librpc/idl/security.idl | 1 + source3/rpc_server/srv_samr_nt.c | 2 +- source3/smbd/nttrans.c | 25 +++++++++++++++++++++++++ 5 files changed, 29 insertions(+), 1 deletions(-) diff --git a/librpc/gen_ndr/ndr_security.c b/librpc/gen_ndr/ndr_security.c index ceeba76..b59eb19 100644 --- a/librpc/gen_ndr/ndr_security.c +++ b/librpc/gen_ndr/ndr_security.c @@ -1042,6 +1042,7 @@ _PUBLIC_ void ndr_print_security_secinfo(struct ndr_print *ndr, const char *name ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "SECINFO_GROUP", SECINFO_GROUP, r); ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "SECINFO_DACL", SECINFO_DACL, r); ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "SECINFO_SACL", SECINFO_SACL, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "SECINFO_LABEL", SECINFO_LABEL, r); ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "SECINFO_UNPROTECTED_SACL", SECINFO_UNPROTECTED_SACL, r); ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "SECINFO_UNPROTECTED_DACL", SECINFO_UNPROTECTED_DACL, r); ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "SECINFO_PROTECTED_SACL", SECINFO_PROTECTED_SACL, r); diff --git a/librpc/gen_ndr/security.h b/librpc/gen_ndr/security.h index 297ba18..9bf01b9 100644 --- a/librpc/gen_ndr/security.h +++ b/librpc/gen_ndr/security.h @@ -358,6 +358,7 @@ struct security_token { #define SECINFO_GROUP ( 0x00000002 ) #define SECINFO_DACL ( 0x00000004 ) #define SECINFO_SACL ( 0x00000008 ) +#define SECINFO_LABEL ( 0x00000010 ) #define SECINFO_UNPROTECTED_SACL ( 0x10000000 ) #define SECINFO_UNPROTECTED_DACL ( 0x20000000 ) #define SECINFO_PROTECTED_SACL ( 0x40000000 ) diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 44a1712..fa8f6ec 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -448,6 +448,7 @@ interface security SECINFO_GROUP = 0x00000002, SECINFO_DACL = 0x00000004, SECINFO_SACL = 0x00000008, + SECINFO_LABEL = 0x00000010, SECINFO_UNPROTECTED_SACL = 0x10000000, SECINFO_UNPROTECTED_DACL = 0x20000000, SECINFO_PROTECTED_SACL = 0x40000000, diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e98e4aa..8553e7d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -223,7 +223,7 @@ done: /* add in any bits saved during the privilege check (only matters is status is ok) */ - *acc_granted |= rights_mask; + *acc_granted |= saved_mask; DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index f82820c..decb07c 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -860,6 +860,12 @@ static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len, /* Ensure we have at least one thing set. */ if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) { + if (security_info_sent & SECINFO_LABEL) { + /* Only consider SECINFO_LABEL if no other + bits are set. Just like W2K3 we don't + store this. */ + return NT_STATUS_OK; + } return NT_STATUS_INVALID_PARAMETER; } @@ -1849,8 +1855,18 @@ static void call_nt_transact_query_security_desc(connection_struct *conn, return; } + if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER| + SECINFO_GROUP|SECINFO_SACL)) { + /* Don't return SECINFO_LABEL if anything else was + requested. See bug #8458. */ + security_info_wanted &= ~SECINFO_LABEL; + } + if (!lp_nt_acl_support(SNUM(conn))) { status = get_null_nt_acl(talloc_tos(), &psd); + } else if (security_info_wanted & SECINFO_LABEL) { + /* Like W2K3 return a null object. */ + status = get_null_nt_acl(talloc_tos(), &psd); } else { status = SMB_VFS_FGET_NT_ACL( fsp, security_info_wanted, &psd); @@ -1882,6 +1898,15 @@ static void call_nt_transact_query_security_desc(connection_struct *conn, security_info_wanted & DACL_SECURITY_INFORMATION) psd->type |= SEC_DESC_DACL_PRESENT; + if (security_info_wanted & SECINFO_LABEL) { + /* Like W2K3 return a null object. */ + psd->owner_sid = NULL; + psd->group_sid = NULL; + psd->dacl = NULL; + psd->sacl = NULL; + psd->type &= ~(SEC_DESC_DACL_PRESENT|SEC_DESC_SACL_PRESENT); + } + sd_size = ndr_size_security_descriptor(psd, NULL, 0); DEBUG(3,("call_nt_transact_query_security_desc: sd_size = %lu.\n",(unsigned long)sd_size)); -- 1.7.3.1