summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-07-10 13:03:51 +0200
committerKarolin Seeger <kseeger@samba.org>2011-07-26 21:54:10 +0200
commitc752911b9c82183d1bccdee02fbeb8821b193abd (patch)
tree3116bb77795cb1250e003a769afd5058e14dd647
parent6271906316f2f371a4a9672808aee5d214d3db04 (diff)
downloadsamba-c752911b9c82183d1bccdee02fbeb8821b193abd.tar.gz
samba-c752911b9c82183d1bccdee02fbeb8821b193abd.tar.xz
samba-c752911b9c82183d1bccdee02fbeb8821b193abd.zip
s3:smbd: check the share level access mask in smbd_calculate_access_mask()
I think we should reject invalid access early, before we might create new files. Also smbd_check_open_rights() is only called if the file existed. metze (cherry picked from commit 896f105ed40dc04f83bcbfac367b309c8d957f86) (cherry picked from commit d43f7ffb9fa8449a954d2e9fc9012a00289b41e2)
Diffstat
-rw-r--r--source3/smbd/open.c17
1 files changed, 17 insertions, 0 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 58102e4c9ad..81d4e69364a 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1529,6 +1529,8 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
uint32_t *access_mask_out)
{
NTSTATUS status;
+ uint32_t orig_access_mask = access_mask;
+ uint32_t rejected_share_access;
/*
* Convert GENERIC bits to specific bits.
@@ -1576,6 +1578,21 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
} else {
access_mask = FILE_GENERIC_ALL;
}
+
+ access_mask &= conn->share_access;
+ }
+
+ rejected_share_access = access_mask & ~(conn->share_access);
+
+ if (rejected_share_access) {
+ DEBUG(10, ("smbd_calculate_access_mask: Access denied on "
+ "file %s: rejected by share access mask[0x%08X] "
+ "orig[0x%08X] mapped[0x%08X] reject[0x%08X]\n",
+ smb_fname_str_dbg(smb_fname),
+ conn->share_access,
+ orig_access_mask, access_mask,
+ rejected_share_access));
+ return NT_STATUS_ACCESS_DENIED;
}
*access_mask_out = access_mask;
generated by cgit (git 2.34.1) at 2024-06-07 22:40:13 +0000