The Samba-Bugzilla – Attachment 7457 Details for
Bug 8857
Setting traverse rights fails to enable directory traversal when acl_xattr in use
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am patch for v3-6-test
look (text/plain), 3.12 KB, created by
Jeremy Allison
on 2012-04-17 01:21:22 UTC
(
hide
)
Description:
git-am patch for v3-6-test
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-04-17 01:21:22 UTC
Size:
3.12 KB
patch
obsolete
>From f6daedfa55c5f6beb677b0d150c68606f46bc3f9 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 16 Apr 2012 18:04:51 -0700 >Subject: [PATCH 1/2] Fix incorrect debug - parent_name is never set ! > >--- > source3/modules/vfs_acl_common.c | 4 +--- > 1 files changed, 1 insertions(+), 3 deletions(-) > >diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c >index fe4c822..6b2d244 100644 >--- a/source3/modules/vfs_acl_common.c >+++ b/source3/modules/vfs_acl_common.c >@@ -574,7 +574,6 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle, > uint32_t access_mask, > struct security_descriptor **pp_parent_desc) > { >- char *parent_name = NULL; > struct security_descriptor *parent_desc = NULL; > uint32_t access_granted = 0; > NTSTATUS status; >@@ -593,9 +592,8 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle, > &access_granted); > if(!NT_STATUS_IS_OK(status)) { > DEBUG(10,("check_parent_acl_common: access check " >- "on directory %s for " >+ "on parent directory of " > "path %s for mask 0x%x returned %s\n", >- parent_name, > path, > access_mask, > nt_errstr(status) )); >-- >1.7.7.3 > > >From 9cb4b765c1a6aa739e3c3279e05f312d38282081 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 16 Apr 2012 18:17:25 -0700 >Subject: [PATCH 2/2] Bugfix for #8857 - Setting traverse rights fails to > enable directory traversal when acl_xattr in use. > >We were incorrectly checking the parent directory ACL, instead >of the ACL of the directory we're trying to open. >--- > source3/modules/vfs_acl_common.c | 35 +++++++++++++++++++++++++++++++++-- > 1 files changed, 33 insertions(+), 2 deletions(-) > >diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c >index 6b2d244..6cc7f09 100644 >--- a/source3/modules/vfs_acl_common.c >+++ b/source3/modules/vfs_acl_common.c >@@ -828,13 +828,44 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, > static SMB_STRUCT_DIR *opendir_acl_common(vfs_handle_struct *handle, > const char *fname, const char *mask, uint32 attr) > { >- NTSTATUS status = check_parent_acl_common(handle, fname, >- SEC_DIR_LIST, NULL); >+ NTSTATUS status; >+ uint32_t access_granted = 0; >+ struct security_descriptor *sd = NULL; >+ >+ status = get_nt_acl_internal(handle, >+ NULL, >+ fname, >+ (SECINFO_OWNER | >+ SECINFO_GROUP | >+ SECINFO_DACL | >+ SECINFO_SACL), >+ &sd); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(10,("opendir_acl_common: " >+ "get_nt_acl_internal for dir %s " >+ "failed with error %s\n", >+ fname, >+ nt_errstr(status) )); >+ errno = map_errno_from_nt_status(status); >+ return NULL; >+ } > >+ /* See if we can access it. */ >+ status = smb1_file_se_access_check(handle->conn, >+ sd, >+ get_current_nttok(handle->conn), >+ SEC_DIR_LIST, >+ &access_granted); > if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(10,("opendir_acl_common: %s open " >+ "for access SEC_DIR_LIST " >+ "refused with error %s\n", >+ fname, >+ nt_errstr(status) )); > errno = map_errno_from_nt_status(status); > return NULL; > } >+ > return SMB_VFS_NEXT_OPENDIR(handle, fname, mask, attr); > } > >-- >1.7.7.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7457">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 8857
:
7451
| 7457