The Samba-Bugzilla – Attachment 888 Details for
Bug 2242
NT_TRANSACT_CREATE should not apply security descriptor (SD) always
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Check smb_action before applying SD
nttrans.patch (text/plain), 1.46 KB, created by
Tom Lackemann
on 2005-01-13 15:16:56 UTC
(
hide
)
Description:
Check smb_action before applying SD
Filename:
MIME Type:
Creator:
Tom Lackemann
Created:
2005-01-13 15:16:56 UTC
Size:
1.46 KB
patch
obsolete
>diff -Nurp samba310-basis/source/smbd/nttrans.c smb-patch/source/smbd/nttrans.c >--- samba310-basis/source/smbd/nttrans.c Wed Dec 15 09:33:17 2004 >+++ smb-patch/source/smbd/nttrans.c Thu Jan 13 16:11:27 2005 >@@ -1415,11 +1429,26 @@ static int call_nt_transact_create(conne > * Now try and apply the desired SD. > */ > >- if (lp_nt_acl_support(SNUM(conn)) && sd_len && >- !NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) { >- close_file(fsp,False); >- restore_case_semantics(conn, file_attributes); >- return ERROR_NT(status); >+ /* >+ * According to the M$ documentation, the only time the security >+ * descriptor is applied to the opened file is iff we *created* the >+ * file; an existing file stays the same. >+ * >+ * Also, it seems (from observation) that you can open the file with >+ * any access mask but you can still write the sd. We need to override >+ * the granted access before we call set_sd >+ */ >+ if (lp_nt_acl_support(SNUM(conn)) && sd_len && smb_action == FILE_WAS_CREATED) { >+ uint32 saved_access = fsp->desired_access; >+ >+ fsp->desired_access = FILE_GENERIC_ALL; >+ >+ if (!NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) { >+ close_file(fsp,False); >+ restore_case_semantics(conn, file_attributes); >+ return ERROR_NT(status); >+ } >+ fsp->desired_access = saved_access; > } > > restore_case_semantics(conn, file_attributes);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 2242
: 888