diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-07-10 13:03:51 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2011-07-26 21:54:10 +0200 |
commit | c752911b9c82183d1bccdee02fbeb8821b193abd (patch) | |
tree | 3116bb77795cb1250e003a769afd5058e14dd647 | |
parent | 6271906316f2f371a4a9672808aee5d214d3db04 (diff) | |
download | samba-c752911b9c82183d1bccdee02fbeb8821b193abd.tar.gz samba-c752911b9c82183d1bccdee02fbeb8821b193abd.tar.xz samba-c752911b9c82183d1bccdee02fbeb8821b193abd.zip |
s3:smbd: check the share level access mask in smbd_calculate_access_mask()
I think we should reject invalid access early,
before we might create new files.
Also smbd_check_open_rights() is only called if the file existed.
metze
(cherry picked from commit 896f105ed40dc04f83bcbfac367b309c8d957f86)
(cherry picked from commit d43f7ffb9fa8449a954d2e9fc9012a00289b41e2)
-rw-r--r-- | source3/smbd/open.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 58102e4c9ad..81d4e69364a 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1529,6 +1529,8 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn, uint32_t *access_mask_out) { NTSTATUS status; + uint32_t orig_access_mask = access_mask; + uint32_t rejected_share_access; /* * Convert GENERIC bits to specific bits. @@ -1576,6 +1578,21 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn, } else { access_mask = FILE_GENERIC_ALL; } + + access_mask &= conn->share_access; + } + + rejected_share_access = access_mask & ~(conn->share_access); + + if (rejected_share_access) { + DEBUG(10, ("smbd_calculate_access_mask: Access denied on " + "file %s: rejected by share access mask[0x%08X] " + "orig[0x%08X] mapped[0x%08X] reject[0x%08X]\n", + smb_fname_str_dbg(smb_fname), + conn->share_access, + orig_access_mask, access_mask, + rejected_share_access)); + return NT_STATUS_ACCESS_DENIED; } *access_mask_out = access_mask; |