The Samba-Bugzilla – Attachment 9783 Details for
Bug 9878
force user does not work as expected
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.1.next
bug-9878-4.1.patch (text/plain), 2.25 KB, created by
Jeremy Allison
on 2014-03-17 23:09:22 UTC
(
hide
)
Description:
git-am fix for 4.1.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2014-03-17 23:09:22 UTC
Size:
2.25 KB
patch
obsolete
>From 34d4e883146bccda53422fa50a35ab25ca880d2e Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 17 Mar 2014 14:35:00 -0700 >Subject: [PATCH] s3: smbd: Fileserving share access checks. > >Git commit 86d1e1db8e2747e30c89627cda123fde1e84f579 >fixed share_access not being reset between users, >by changing make_connection_snum() to call a common >function check_user_share_access() in the same way >that change_to_user() (which can be called on any >incoming packet) does. > >Unfortunately that bugfix was incorrect and >broke "force user" and "force group" as it >called check_user_share_access() inside >make_connection_snum() using the conn->session_info >pointer instead of the vuser->session_info pointer. > >conn->session_info represents the token to use >when actually accessing the file system, and so >is modified by force user and force group. > >vuser->session_info represents the "pristine" >token of the user logging in, and is never modified >by force user and force group. > >Samba 3.6.x checked the share access based on >the "pristine" token of the user logging in, >not the token modified by force user and force group. >This change restores the expected behavior. > >Fixes bug #9878 - force user does not work as expected > >https://bugzilla.samba.org/show_bug.cgi?id=9878 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/service.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > >diff --git a/source3/smbd/service.c b/source3/smbd/service.c >index a7464f0..7d06551 100644 >--- a/source3/smbd/service.c >+++ b/source3/smbd/service.c >@@ -614,11 +614,19 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn, > } > > /* >- * Set up the share security descriptor >+ * Set up the share security descriptor. >+ * NOTE - we use the *INCOMING USER* session_info >+ * here, as does (indirectly) change_to_user(), >+ * which can be called on any incoming packet. >+ * This way we set up the share access based >+ * on the authenticated user, not the forced >+ * user. See bug: >+ * >+ * https://bugzilla.samba.org/show_bug.cgi?id=9878 > */ > > status = check_user_share_access(conn, >- conn->session_info, >+ vuser->session_info, > &conn->share_access, > &conn->read_only); > if (!NT_STATUS_IS_OK(status)) { >-- >1.9.0.279.gdc9e3eb >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9783">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
obnox
:
review+
asn
:
review+
Actions:
View
Attachments on
bug 9878
:
9781
|
9782
| 9783 |
9784