Attachment 888 Details for Bug 2242 – Check smb_action before applying SD

[patch] Check smb_action before applying SD

nttrans.patch (text/plain), 1.46 KB, created by Tom Lackemann on 2005-01-13 15:16:56 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Tom Lackemann

Created: 2005-01-13 15:16:56 UTC

Size: 1.46 KB

patch

obsolete

>diff -Nurp samba310-basis/source/smbd/nttrans.c smb-patch/source/smbd/nttrans.c
>--- samba310-basis/source/smbd/nttrans.c	Wed Dec 15 09:33:17 2004
>+++ smb-patch/source/smbd/nttrans.c	Thu Jan 13 16:11:27 2005
>@@ -1415,11 +1429,26 @@ static int call_nt_transact_create(conne
> 	 * Now try and apply the desired SD.
> 	 */
> 
>-	if (lp_nt_acl_support(SNUM(conn)) && sd_len &&
>-			!NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) {
>-		close_file(fsp,False);
>-		restore_case_semantics(conn, file_attributes);
>-		return ERROR_NT(status);
>+   /*
>+    *   According to the M$ documentation, the only time the security
>+    *   descriptor is applied to the opened file is iff we *created* the
>+    *   file; an existing file stays the same.
>+    *
>+    *   Also, it seems (from observation) that you can open the file with
>+    *   any access mask but you can still write the sd. We need to override
>+    *   the granted access before we call set_sd
>+    */
>+   if (lp_nt_acl_support(SNUM(conn)) && sd_len && smb_action == FILE_WAS_CREATED) {
>+      uint32 saved_access = fsp->desired_access;
>+
>+      fsp->desired_access = FILE_GENERIC_ALL;
>+      
>+      if (!NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) {
>+         close_file(fsp,False);
>+         restore_case_semantics(conn, file_attributes);
>+         return ERROR_NT(status);
>+      }
>+      fsp->desired_access = saved_access;
> 	}
> 	
> 	restore_case_semantics(conn, file_attributes);

Actions: View

Attachments on bug 2242: 888