From 13e65afe1c925277e128f90dcb6ef83f31e40218 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Nov 2012 14:40:50 -0800 Subject: [PATCH 1/2] Add comments explaining exactly *why* we don't check FILE_READ_ATTRIBUTES when evaluating file/directory ACE's. If we can access the path to this file, by default we have FILE_READ_ATTRIBUTES from the containing directory. See the section. "Algorithm to Check Access to an Existing File" in MS-FSA.pdf. Signed-off-by: Jeremy Allison Reviewed-by: Michael Adam (cherry picked from commit 4985332b951d8cd46c9c0cd877875ab7839b4edb) --- source3/smbd/open.c | 24 +++++++++++++++++++++--- 1 files changed, 21 insertions(+), 3 deletions(-) diff --git a/source3/smbd/open.c b/source3/smbd/open.c index a9a9198..7e0dee2 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -130,7 +130,13 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn, } /* - * Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of + * If we can access the path to this file, by + * default we have FILE_READ_ATTRIBUTES from the + * containing directory. See the section: + * "Algorithm to Check Access to an Existing File" + * in MS-FSA.pdf. + * + * se_file_access_check() also takes care of * owner WRITE_DAC and READ_CONTROL. */ status = se_file_access_check(sd, @@ -247,7 +253,13 @@ static NTSTATUS check_parent_access(struct connection_struct *conn, } /* - * Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of + * If we can access the path to this file, by + * default we have FILE_READ_ATTRIBUTES from the + * containing directory. See the section: + * "Algorithm to Check Access to an Existing File" + * in MS-FSA.pdf. + * + * se_file_access_check() also takes care of * owner WRITE_DAC and READ_CONTROL. */ status = se_file_access_check(parent_sd, @@ -1693,7 +1705,13 @@ static NTSTATUS smbd_calculate_maximum_allowed_access( } /* - * Never test FILE_READ_ATTRIBUTES. se_file_access_check() + * If we can access the path to this file, by + * default we have FILE_READ_ATTRIBUTES from the + * containing directory. See the section: + * "Algorithm to Check Access to an Existing File" + * in MS-FSA.pdf. + * + * se_file_access_check() * also takes care of owner WRITE_DAC and READ_CONTROL. */ status = se_file_access_check(sd, -- 1.7.7.3 From 6508089254d73a39ce1ab7901dfa28294a8c505c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Nov 2012 14:40:51 -0800 Subject: [PATCH 2/2] More for #9374 - Allow smb2.acls torture test to pass against smbd with a POSIX ACLs backend. Change can_delete_directory() to can_delete_directory_fsp(), as we only ever call this from an open directory file handle. This allows us to use OpenDir_fsp() instead of OpenDir(). OpenDir() re-checks the ACL on the directory, which may refuse DIR_LIST permissions. OpenDir_fsp() does not. As this is a file-server internal check to see if the directory actually contains any files before setting delete on close, we can ignore the ACL here (Windows does). Signed-off-by: Jeremy Allison Reviewed-by: Michael Adam Autobuild-User(master): Michael Adam Autobuild-Date(master): Tue Nov 20 01:46:28 CET 2012 on sn-devel-104 (cherry picked from commit c5ad5029fd87b36426927d57425d5debbb26394c) --- source3/include/proto.h | 3 +-- source3/smbd/dir.c | 14 +++++++++----- source3/smbd/file_access.c | 3 +-- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index 7c5a5a7..449bbc1 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1628,8 +1628,7 @@ void cancel_pending_lock_requests_by_fid(files_struct *fsp, enum file_close_type close_type); void send_stat_cache_delete_message(struct messaging_context *msg_ctx, const char *name); -NTSTATUS can_delete_directory(struct connection_struct *conn, - const char *dirname); +NTSTATUS can_delete_directory_fsp(files_struct *fsp); bool change_to_root_user(void); void contend_level2_oplocks_begin(files_struct *fsp, enum level2_contention_type type); diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index cb27110..1a9aa43 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -1740,16 +1740,20 @@ bool SearchDir(struct smb_Dir *dirp, const char *name, long *poffset) Is this directory empty ? *****************************************************************/ -NTSTATUS can_delete_directory(struct connection_struct *conn, - const char *dirname) +NTSTATUS can_delete_directory_fsp(files_struct *fsp) { NTSTATUS status = NT_STATUS_OK; long dirpos = 0; const char *dname = NULL; + const char *dirname = fsp->fsp_name->base_name; char *talloced = NULL; SMB_STRUCT_STAT st; - struct smb_Dir *dir_hnd = OpenDir(talloc_tos(), conn, - dirname, NULL, 0); + struct connection_struct *conn = fsp->conn; + struct smb_Dir *dir_hnd = OpenDir_fsp(talloc_tos(), + conn, + fsp, + NULL, + 0); if (!dir_hnd) { return map_nt_error_from_unix(errno); @@ -1769,7 +1773,7 @@ NTSTATUS can_delete_directory(struct connection_struct *conn, continue; } - DEBUG(10,("can_delete_directory: got name %s - can't delete\n", + DEBUG(10,("got name %s - can't delete\n", dname )); status = NT_STATUS_DIRECTORY_NOT_EMPTY; break; diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c index 6ced6a6..9bf7e9b 100644 --- a/source3/smbd/file_access.c +++ b/source3/smbd/file_access.c @@ -226,8 +226,7 @@ NTSTATUS can_set_delete_on_close(files_struct *fsp, uint32 dosmode) return NT_STATUS_ACCESS_DENIED; } - return can_delete_directory(fsp->conn, - fsp->fsp_name->base_name); + return can_delete_directory_fsp(fsp); } return NT_STATUS_OK; -- 1.7.7.3