From bb3283c3f18127caaf68fd13c4d61e056fb560f9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 28 Feb 2012 09:47:50 -0800 Subject: [PATCH] Fix problem reported by Tom Lee - when calculating the share security mask, take priviliges into account for the connecting user. Autobuild-User: Jeremy Allison Autobuild-Date: Tue Feb 28 20:21:26 CET 2012 on sn-devel-104 (cherry picked from commit 6081fabe7e0f461ea7d288c40727d4fb5defce5d) --- source3/smbd/service.c | 31 ++++++++++++++++++++++++++++--- 1 files changed, 28 insertions(+), 3 deletions(-) diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 34b24f3..f57e57f 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -732,6 +732,33 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) } /**************************************************************************** + Setup the share access mask for a connection. +****************************************************************************/ + +static void create_share_access_mask(connection_struct *conn, int snum) +{ + const struct security_token *token = conn->session_info->security_token; + + share_access_check(token, + lp_servicename(snum), + MAXIMUM_ALLOWED_ACCESS, + &conn->share_access); + + if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { + conn->share_access |= SEC_FLAG_SYSTEM_SECURITY; + } + if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { + conn->share_access |= (SEC_RIGHTS_PRIV_RESTORE); + } + if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) { + conn->share_access |= (SEC_RIGHTS_PRIV_BACKUP); + } + if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { + conn->share_access |= (SEC_STD_WRITE_OWNER); + } +} + +/**************************************************************************** Make a connection, given the snum to connect to, and the vuser of the connecting user if appropriate. ****************************************************************************/ @@ -845,9 +872,7 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc * */ - share_access_check(conn->session_info->security_token, - lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS, - &conn->share_access); + create_share_access_mask(conn, snum); if ((conn->share_access & FILE_WRITE_DATA) == 0) { if ((conn->share_access & FILE_READ_DATA) == 0) { -- 1.7.5.4