The Samba-Bugzilla – Attachment 7442 Details for
Bug 8837
smbd crashes when deleting directory and veto files are enabled
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Back-port 6 part git-am fix for 3.6.next.
look (text/plain), 22.49 KB, created by
Jeremy Allison
on 2012-04-09 20:22:40 UTC
(
hide
)
Description:
Back-port 6 part git-am fix for 3.6.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-04-09 20:22:40 UTC
Size:
22.49 KB
patch
obsolete
>From 85f7209614a9665658f1730855358f215cf37f60 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 4 Apr 2012 14:53:10 -0700 >Subject: [PATCH 1/6] First part of fix for bug 8837 - smbd crashes when > deleting directory and veto files are enabled. > >Add some const to the sec_ctx code. >(cherry picked from commit f042de2f346c98a852957cdbb09a7f8ac871b69c) >--- > source3/smbd/proto.h | 2 +- > source3/smbd/sec_ctx.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h >index aadad4b..0d31a1c 100644 >--- a/source3/smbd/proto.h >+++ b/source3/smbd/proto.h >@@ -953,7 +953,7 @@ void server_encryption_shutdown(void); > > bool unix_token_equal(const struct security_unix_token *t1, const struct security_unix_token *t2); > bool push_sec_ctx(void); >-void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, struct security_token *token); >+void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, const struct security_token *token); > void set_root_sec_ctx(void); > bool pop_sec_ctx(void); > void init_sec_ctx(void); >diff --git a/source3/smbd/sec_ctx.c b/source3/smbd/sec_ctx.c >index f8c8847..14e18a8 100644 >--- a/source3/smbd/sec_ctx.c >+++ b/source3/smbd/sec_ctx.c >@@ -304,7 +304,7 @@ static void set_unix_security_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *grou > Set the current security context to a given user. > ****************************************************************************/ > >-void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, struct security_token *token) >+void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, const struct security_token *token) > { > struct sec_ctx *ctx_p = &sec_ctx_stack[sec_ctx_stack_ndx]; > >-- >1.7.7.3 > > >From 465b170730248983c38db7f2ecbc3370e41cfd78 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 4 Apr 2012 14:57:12 -0700 >Subject: [PATCH 2/6] Third part of fix for bug #8837 - smbd crashes when > deleting directory and veto files are enabled. > >Use correct check to see if veto files has been enabled. Even if not >set lp_veto_files() returns a valid string address (to a '\0' character). > >Autobuild-User: Jeremy Allison <jra@samba.org> >Autobuild-Date: Thu Apr 5 01:36:04 CEST 2012 on sn-devel-104 >(cherry picked from commit 704ea4729b499ae2716cfe6ad5d952bcb1251a3b) >--- > source3/smbd/close.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > >diff --git a/source3/smbd/close.c b/source3/smbd/close.c >index a431a5d..a307f70 100644 >--- a/source3/smbd/close.c >+++ b/source3/smbd/close.c >@@ -817,7 +817,7 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp) > return NT_STATUS_OK; > } > >- if(((errno == ENOTEMPTY)||(errno == EEXIST)) && lp_veto_files(SNUM(conn))) { >+ if(((errno == ENOTEMPTY)||(errno == EEXIST)) && *lp_veto_files(SNUM(conn))) { > /* > * Check to see if the only thing in this directory are > * vetoed files/directories. If so then delete them and >-- >1.7.7.3 > > >From eee35a7ccaf5f274a89596afc67d73ef2bd17969 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 6 Apr 2012 14:53:48 -0700 >Subject: [PATCH 3/6] Fix the talloc heirarchy when adding the unix delete > token. > >--- > source3/locking/locking.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > >diff --git a/source3/locking/locking.c b/source3/locking/locking.c >index ddd469d..02622d6 100644 >--- a/source3/locking/locking.c >+++ b/source3/locking/locking.c >@@ -1518,7 +1518,7 @@ static bool add_delete_on_close_token(struct share_mode_lock *lck, > } > > dtl->name_hash = name_hash; >- dtl->delete_token = copy_unix_token(lck, tok); >+ dtl->delete_token = copy_unix_token(dtl, tok); > if (dtl->delete_token == NULL) { > TALLOC_FREE(dtl); > return false; >-- >1.7.7.3 > > >From a5d480f7be5a60fd18f8059b4d475f34021009f1 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 6 Apr 2012 15:39:03 -0700 >Subject: [PATCH 4/6] The delete tokens are unique to each name hash > representing a pathname, if we don't correctly return > here we'll add duplicate tokens for a given pasname > hash. > >--- > source3/locking/locking.c | 13 +++++++------ > 1 files changed, 7 insertions(+), 6 deletions(-) > >diff --git a/source3/locking/locking.c b/source3/locking/locking.c >index 02622d6..8587714 100644 >--- a/source3/locking/locking.c >+++ b/source3/locking/locking.c >@@ -1560,13 +1560,14 @@ void set_delete_on_close_lck(files_struct *fsp, > /* Delete this entry. */ > DLIST_REMOVE(lck->delete_tokens, dtl); > TALLOC_FREE(dtl); >- return; >+ } else { >+ /* Replace this token with the >+ given tok. */ >+ TALLOC_FREE(dtl->delete_token); >+ dtl->delete_token = copy_unix_token(dtl, tok); >+ SMB_ASSERT(dtl->delete_token != NULL); > } >- /* Replace this token with the >- given tok. */ >- TALLOC_FREE(dtl->delete_token); >- dtl->delete_token = copy_unix_token(dtl, tok); >- SMB_ASSERT(dtl->delete_token != NULL); >+ return; > } > } > >-- >1.7.7.3 > > >From a3729b866db25bbbead8c12427dd2e5e1b479f27 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 9 Apr 2012 11:47:27 -0700 >Subject: [PATCH 5/6] Convert parse_delete_tokens_list() and > unparse_share_modes() to use ndr encoding for the > struct security_unix_token. We can do this as > libsmb_share_modes never looks inside the delete tokens > list, only implicitly gets the length. > >--- > librpc/idl/security.idl | 2 +- > source3/locking/locking.c | 120 +++++++++++++++----------------------------- > 2 files changed, 42 insertions(+), 80 deletions(-) > >diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl >index 3378367..b58e099 100644 >--- a/librpc/idl/security.idl >+++ b/librpc/idl/security.idl >@@ -578,7 +578,7 @@ interface security > } security_token; > > /* This is not yet sent over the network, but is simply defined in IDL */ >- typedef [public] struct { >+ typedef [public,gensize] struct { > uid_t uid; > uid_t gid; > uint32 ngroups; >diff --git a/source3/locking/locking.c b/source3/locking/locking.c >index 8587714..e04de79 100644 >--- a/source3/locking/locking.c >+++ b/source3/locking/locking.c >@@ -44,6 +44,7 @@ > #include "serverid.h" > #include "messages.h" > #include "util_tdb.h" >+#include "../librpc/gen_ndr/ndr_security.h" > > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_LOCKING >@@ -551,33 +552,10 @@ static int parse_delete_tokens_list(struct share_mode_lock *lck, > lck->delete_tokens = NULL; > > for (i = 0; i < pdata->u.s.num_delete_token_entries; i++) { >- uint32_t token_len; >+ DATA_BLOB blob; >+ enum ndr_err_code ndr_err; > struct delete_token_list *pdtl; >- >- if (end_ptr - p < (sizeof(uint32_t) + sizeof(uint32_t) + >- sizeof(uid_t) + sizeof(gid_t))) { >- DEBUG(0,("parse_delete_tokens_list: " >- "corrupt token list (%u)", >- (unsigned int)(end_ptr - p))); >- smb_panic("corrupt token list"); >- return -1; >- } >- >- memcpy(&token_len, p, sizeof(token_len)); >- delete_tokens_size += token_len; >- >- if (p + token_len > end_ptr || token_len < sizeof(token_len) + >- sizeof(pdtl->name_hash) + >- sizeof(uid_t) + >- sizeof(gid_t)) { >- DEBUG(0,("parse_delete_tokens_list: " >- "invalid token length (%u)\n", >- (unsigned int)token_len )); >- smb_panic("invalid token length"); >- return -1; >- } >- >- p += sizeof(token_len); >+ size_t token_len = 0; > > pdtl = TALLOC_ZERO_P(lck, struct delete_token_list); > if (pdtl == NULL) { >@@ -587,6 +565,7 @@ static int parse_delete_tokens_list(struct share_mode_lock *lck, > /* Copy out the name_hash. */ > memcpy(&pdtl->name_hash, p, sizeof(pdtl->name_hash)); > p += sizeof(pdtl->name_hash); >+ delete_tokens_size += sizeof(pdtl->name_hash); > > pdtl->delete_token = TALLOC_ZERO_P(pdtl, struct security_unix_token); > if (pdtl->delete_token == NULL) { >@@ -594,40 +573,29 @@ static int parse_delete_tokens_list(struct share_mode_lock *lck, > return -1; > } > >- /* Copy out the uid and gid. */ >- memcpy(&pdtl->delete_token->uid, p, sizeof(uid_t)); >- p += sizeof(uid_t); >- memcpy(&pdtl->delete_token->gid, p, sizeof(gid_t)); >- p += sizeof(gid_t); >- >- token_len -= (sizeof(token_len) + sizeof(pdtl->name_hash) + >- sizeof(uid_t) + sizeof(gid_t)); >- >- /* Any supplementary groups ? */ >- if (token_len) { >- int j; >- >- if (token_len % sizeof(gid_t) != 0) { >- DEBUG(0,("parse_delete_tokens_list: " >- "corrupt group list (%u)", >- (unsigned int)(token_len % sizeof(gid_t)) )); >- smb_panic("corrupt group list"); >- return -1; >- } >+ if (p >= end_ptr) { >+ DEBUG(0,("parse_delete_tokens_list: corrupt data")); >+ return -1; >+ } > >- pdtl->delete_token->ngroups = token_len / sizeof(gid_t); >- pdtl->delete_token->groups = TALLOC_ARRAY(pdtl->delete_token, gid_t, >- pdtl->delete_token->ngroups); >- if (pdtl->delete_token->groups == NULL) { >- DEBUG(0,("parse_delete_tokens_list: talloc failed")); >- return -1; >- } >+ blob.data = p; >+ blob.length = end_ptr - p; > >- for (j = 0; j < pdtl->delete_token->ngroups; j++) { >- memcpy(&pdtl->delete_token->groups[j], p, sizeof(gid_t)); >- p += sizeof(gid_t); >- } >+ ndr_err = ndr_pull_struct_blob(&blob, >+ pdtl, >+ pdtl->delete_token, >+ (ndr_pull_flags_fn_t)ndr_pull_security_unix_token); >+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { >+ DEBUG(1, ("parse_delete_tokens_list: " >+ "ndr_pull_share_mode_data failed\n")); >+ return -1; > } >+ >+ token_len = ndr_size_security_unix_token(pdtl->delete_token, 0); >+ >+ p += token_len; >+ delete_tokens_size += token_len; >+ > /* Add to the list. */ > DLIST_ADD(lck->delete_tokens, pdtl); > } >@@ -769,11 +737,8 @@ static TDB_DATA unparse_share_modes(const struct share_mode_lock *lck) > > for (pdtl = lck->delete_tokens; pdtl; pdtl = pdtl->next) { > num_delete_token_entries++; >- delete_tokens_size += (sizeof(uint32_t) + >- sizeof(uint32_t) + >- sizeof(uid_t) + >- sizeof(gid_t) + >- pdtl->delete_token->ngroups*sizeof(gid_t)); >+ delete_tokens_size += sizeof(uint32_t) + >+ ndr_size_security_unix_token(pdtl->delete_token, 0); > } > > result.dsize = sizeof(*data) + >@@ -813,30 +778,27 @@ static TDB_DATA unparse_share_modes(const struct share_mode_lock *lck) > /* Store any delete on close tokens. */ > for (pdtl = lck->delete_tokens; pdtl; pdtl = pdtl->next) { > struct security_unix_token *pdt = pdtl->delete_token; >- uint32_t token_size = sizeof(uint32_t) + >- sizeof(uint32_t) + >- sizeof(uid_t) + >- sizeof(gid_t) + >- (pdt->ngroups * sizeof(gid_t)); > uint8_t *p = result.dptr + offset; >- >- memcpy(p, &token_size, sizeof(uint32_t)); >- p += sizeof(uint32_t); >+ DATA_BLOB blob; >+ enum ndr_err_code ndr_err; > > memcpy(p, &pdtl->name_hash, sizeof(uint32_t)); > p += sizeof(uint32_t); >+ offset += sizeof(uint32_t); > >- memcpy(p, &pdt->uid, sizeof(uid_t)); >- p += sizeof(uid_t); >+ ndr_err = ndr_push_struct_blob(&blob, >+ talloc_tos(), >+ pdt, >+ (ndr_push_flags_fn_t)ndr_push_security_unix_token); > >- memcpy(p, &pdt->gid, sizeof(gid_t)); >- p += sizeof(gid_t); >- >- for (i = 0; i < pdt->ngroups; i++) { >- memcpy(p, &pdt->groups[i], sizeof(gid_t)); >- p += sizeof(gid_t); >+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { >+ smb_panic("ndr_push_security_unix_token failed"); > } >- offset += token_size; >+ >+ /* We know we have space here as we counted above. */ >+ memcpy(p, blob.data, blob.length); >+ offset += blob.length; >+ TALLOC_FREE(blob.data); > } > > safe_strcpy((char *)result.dptr + offset, lck->servicepath, >-- >1.7.7.3 > > >From 63a09af9f29dbfc44670ef44c915200d063bdf29 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 9 Apr 2012 12:44:05 -0700 >Subject: [PATCH 6/6] Final back port of fix for bug #8837 - smbd crashes when > deleting directory and veto files are enabled. > >Use ndr encoding to add the NT security token into the stored data when >delete on close is set. >--- > librpc/idl/security.idl | 2 +- > source3/include/smb.h | 1 + > source3/locking/locking.c | 51 +++++++++++++++++++++++++++++++++++++------- > source3/locking/proto.h | 10 +++++++- > source3/smbd/close.c | 23 +++++++++++++------- > source3/smbd/reply.c | 8 +++++- > source3/smbd/trans2.c | 1 + > 7 files changed, 75 insertions(+), 21 deletions(-) > >diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl >index b58e099..696d5a5 100644 >--- a/librpc/idl/security.idl >+++ b/librpc/idl/security.idl >@@ -570,7 +570,7 @@ interface security > } sec_desc_buf; > > /* This is not yet sent over the network, but is simply defined in IDL */ >- typedef [public] struct { >+ typedef [public,gensize] struct { > uint32 num_sids; > [size_is(num_sids)] dom_sid sids[*]; > se_privilege privilege_mask; >diff --git a/source3/include/smb.h b/source3/include/smb.h >index 549ebb2..873657a 100644 >--- a/source3/include/smb.h >+++ b/source3/include/smb.h >@@ -637,6 +637,7 @@ struct delete_token_list { > struct delete_token_list *next, *prev; > uint32_t name_hash; > struct security_unix_token *delete_token; >+ struct security_token *delete_nt_token; > }; > > struct share_mode_lock { >diff --git a/source3/locking/locking.c b/source3/locking/locking.c >index e04de79..f510ee1 100644 >--- a/source3/locking/locking.c >+++ b/source3/locking/locking.c >@@ -1470,6 +1470,7 @@ static struct security_unix_token *copy_unix_token(TALLOC_CTX *ctx, const struct > > static bool add_delete_on_close_token(struct share_mode_lock *lck, > uint32_t name_hash, >+ const struct security_token *nt_tok, > const struct security_unix_token *tok) > { > struct delete_token_list *dtl; >@@ -1485,6 +1486,11 @@ static bool add_delete_on_close_token(struct share_mode_lock *lck, > TALLOC_FREE(dtl); > return false; > } >+ dtl->delete_nt_token = dup_nt_token(dtl, nt_tok); >+ if (dtl->delete_nt_token == NULL) { >+ TALLOC_FREE(dtl); >+ return false; >+ } > DLIST_ADD(lck->delete_tokens, dtl); > lck->modified = true; > return true; >@@ -1504,14 +1510,17 @@ static bool add_delete_on_close_token(struct share_mode_lock *lck, > void set_delete_on_close_lck(files_struct *fsp, > struct share_mode_lock *lck, > bool delete_on_close, >+ const struct security_token *nt_tok, > const struct security_unix_token *tok) > { > struct delete_token_list *dtl; > bool ret; > > if (delete_on_close) { >+ SMB_ASSERT(nt_tok != NULL); > SMB_ASSERT(tok != NULL); > } else { >+ SMB_ASSERT(nt_tok == NULL); > SMB_ASSERT(tok == NULL); > } > >@@ -1528,6 +1537,9 @@ void set_delete_on_close_lck(files_struct *fsp, > TALLOC_FREE(dtl->delete_token); > dtl->delete_token = copy_unix_token(dtl, tok); > SMB_ASSERT(dtl->delete_token != NULL); >+ TALLOC_FREE(dtl->delete_nt_token); >+ dtl->delete_nt_token = dup_nt_token(dtl, nt_tok); >+ SMB_ASSERT(dtl->delete_nt_token != NULL); > } > return; > } >@@ -1538,11 +1550,13 @@ void set_delete_on_close_lck(files_struct *fsp, > return; > } > >- ret = add_delete_on_close_token(lck, fsp->name_hash, tok); >+ ret = add_delete_on_close_token(lck, fsp->name_hash, nt_tok, tok); > SMB_ASSERT(ret); > } > >-bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct security_unix_token *tok) >+bool set_delete_on_close(files_struct *fsp, bool delete_on_close, >+ const struct security_token *nt_tok, >+ const struct security_unix_token *tok) > { > struct share_mode_lock *lck; > >@@ -1557,8 +1571,15 @@ bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct s > return False; > } > >- set_delete_on_close_lck(fsp, lck, delete_on_close, >- delete_on_close ? tok : NULL); >+ if (delete_on_close) { >+ set_delete_on_close_lck(fsp, lck, true, >+ nt_tok, >+ tok); >+ } else { >+ set_delete_on_close_lck(fsp, lck, false, >+ NULL, >+ NULL); >+ } > > if (fsp->is_directory) { > SMB_ASSERT(!is_ntfs_stream_smb_fname(fsp->fsp_name)); >@@ -1573,7 +1594,15 @@ bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct s > return True; > } > >-const struct security_unix_token *get_delete_on_close_token(struct share_mode_lock *lck, uint32_t name_hash) >+/**************************************************************************** >+ Return the NT token and UNIX token if there's a match. Return true if >+ found, false if not. >+****************************************************************************/ >+ >+bool get_delete_on_close_token(struct share_mode_lock *lck, >+ uint32_t name_hash, >+ const struct security_token **pp_nt_tok, >+ const struct security_unix_token **pp_tok) > { > struct delete_token_list *dtl; > >@@ -1584,15 +1613,21 @@ const struct security_unix_token *get_delete_on_close_token(struct share_mode_lo > DEBUG(10,("get_delete_on_close_token: dtl->name_hash = 0x%x\n", > (unsigned int)dtl->name_hash )); > if (dtl->name_hash == name_hash) { >- return dtl->delete_token; >+ if (pp_nt_tok) { >+ *pp_nt_tok = dtl->delete_nt_token; >+ } >+ if (pp_tok) { >+ *pp_tok = dtl->delete_token; >+ } >+ return true; > } > } >- return NULL; >+ return false; > } > > bool is_delete_on_close_set(struct share_mode_lock *lck, uint32_t name_hash) > { >- return (get_delete_on_close_token(lck, name_hash) != NULL); >+ return get_delete_on_close_token(lck, name_hash, NULL, NULL); > } > > bool set_sticky_write_time(struct file_id fileid, struct timespec write_time) >diff --git a/source3/locking/proto.h b/source3/locking/proto.h >index b7c8990..7745da5 100644 >--- a/source3/locking/proto.h >+++ b/source3/locking/proto.h >@@ -173,12 +173,18 @@ void del_deferred_open_entry(struct share_mode_lock *lck, uint64_t mid, > bool remove_share_oplock(struct share_mode_lock *lck, files_struct *fsp); > bool downgrade_share_oplock(struct share_mode_lock *lck, files_struct *fsp); > NTSTATUS can_set_delete_on_close(files_struct *fsp, uint32 dosmode); >-const struct security_unix_token *get_delete_on_close_token(struct share_mode_lock *lck, uint32_t name_hash); >+bool get_delete_on_close_token(struct share_mode_lock *lck, >+ uint32_t name_hash, >+ const struct security_token **pp_nt_tok, >+ const struct security_unix_token **pp_tok); > void set_delete_on_close_lck(files_struct *fsp, > struct share_mode_lock *lck, > bool delete_on_close, >+ const struct security_token *nt_tok, >+ const struct security_unix_token *tok); >+bool set_delete_on_close(files_struct *fsp, bool delete_on_close, >+ const struct security_token *nt_tok, > const struct security_unix_token *tok); >-bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct security_unix_token *tok); > bool is_delete_on_close_set(struct share_mode_lock *lck, uint32_t name_hash); > bool set_sticky_write_time(struct file_id fileid, struct timespec write_time); > bool set_write_time(struct file_id fileid, struct timespec write_time); >diff --git a/source3/smbd/close.c b/source3/smbd/close.c >index a307f70..36cec1a 100644 >--- a/source3/smbd/close.c >+++ b/source3/smbd/close.c >@@ -280,6 +280,8 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, > NTSTATUS tmp_status; > struct file_id id; > const struct security_unix_token *del_token = NULL; >+ const struct security_token *del_nt_token = NULL; >+ bool got_tokens = false; > > /* Ensure any pending write time updates are done. */ > if (fsp->update_write_time_event) { >@@ -345,7 +347,9 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, > became_user = True; > } > fsp->delete_on_close = true; >- set_delete_on_close_lck(fsp, lck, True, get_current_utok(conn)); >+ set_delete_on_close_lck(fsp, lck, True, >+ get_current_nttok(conn), >+ get_current_utok(conn)); > if (became_user) { > unbecome_user(); > } >@@ -398,8 +402,9 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, > */ > fsp->update_write_time_on_close = false; > >- del_token = get_delete_on_close_token(lck, fsp->name_hash); >- SMB_ASSERT(del_token != NULL); >+ got_tokens = get_delete_on_close_token(lck, fsp->name_hash, >+ &del_nt_token, &del_token); >+ SMB_ASSERT(got_tokens); > > if (!unix_token_equal(del_token, get_current_utok(conn))) { > /* Become the user who requested the delete. */ >@@ -418,7 +423,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, > del_token->gid, > del_token->ngroups, > del_token->groups, >- NULL); >+ del_nt_token); > > changed_user = true; > } >@@ -491,7 +496,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, > */ > > fsp->delete_on_close = false; >- set_delete_on_close_lck(fsp, lck, false, NULL); >+ set_delete_on_close_lck(fsp, lck, false, NULL, NULL); > > done: > >@@ -962,6 +967,7 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp, > bool delete_dir = False; > NTSTATUS status = NT_STATUS_OK; > NTSTATUS status1 = NT_STATUS_OK; >+ const struct security_token *del_nt_token = NULL; > const struct security_unix_token *del_token = NULL; > > /* >@@ -998,6 +1004,7 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp, > send_stat_cache_delete_message(fsp->conn->sconn->msg_ctx, > fsp->fsp_name->base_name); > set_delete_on_close_lck(fsp, lck, true, >+ get_current_nttok(fsp->conn), > get_current_utok(fsp->conn)); > fsp->delete_on_close = true; > if (became_user) { >@@ -1005,8 +1012,8 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp, > } > } > >- del_token = get_delete_on_close_token(lck, fsp->name_hash); >- delete_dir = (del_token != NULL); >+ delete_dir = get_delete_on_close_token(lck, fsp->name_hash, >+ &del_nt_token, &del_token); > > if (delete_dir) { > int i; >@@ -1038,7 +1045,7 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp, > del_token->gid, > del_token->ngroups, > del_token->groups, >- NULL); >+ del_nt_token); > > TALLOC_FREE(lck); > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index c0e8a98..ac471aa 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -2541,7 +2541,9 @@ static NTSTATUS do_unlink(connection_struct *conn, > } > > /* The set is across all open files on this dev/inode pair. */ >- if (!set_delete_on_close(fsp, True, &conn->session_info->utok)) { >+ if (!set_delete_on_close(fsp, true, >+ conn->session_info->security_token, >+ &conn->session_info->utok)) { > close_file(req, fsp, NORMAL_CLOSE); > return NT_STATUS_ACCESS_DENIED; > } >@@ -5650,7 +5652,9 @@ void reply_rmdir(struct smb_request *req) > goto out; > } > >- if (!set_delete_on_close(fsp, true, &conn->session_info->utok)) { >+ if (!set_delete_on_close(fsp, true, >+ conn->session_info->security_token, >+ &conn->session_info->utok)) { > close_file(req, fsp, ERROR_CLOSE); > reply_nterror(req, NT_STATUS_ACCESS_DENIED); > goto out; >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 6f933dd..c7cf1a2 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -5827,6 +5827,7 @@ static NTSTATUS smb_set_file_disposition_info(connection_struct *conn, > > /* The set is across all open files on this dev/inode pair. */ > if (!set_delete_on_close(fsp, delete_on_close, >+ conn->session_info->security_token, > &conn->session_info->utok)) { > return NT_STATUS_ACCESS_DENIED; > } >-- >1.7.7.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 8837
:
7422
|
7423
|
7442
|
7443