diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-07-12 17:31:13 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2011-07-26 21:54:04 +0200 |
commit | d838f98b83d9f1edeccd48f3696c7dfc9048c954 (patch) | |
tree | f515531f3247400a7d68cd17c5f3d46c0cd3337e | |
parent | 29e04dfa5245c06ee9c3e35891d0c344898fa11d (diff) | |
download | samba-d838f98b83d9f1edeccd48f3696c7dfc9048c954.tar.gz samba-d838f98b83d9f1edeccd48f3696c7dfc9048c954.tar.xz samba-d838f98b83d9f1edeccd48f3696c7dfc9048c954.zip |
s3:smbd/msdfs: let create_conn_struct() check the share security descriptor
metze
(cherry picked from commit 18f967a24881aa899b39f7676fc70a7f7aaca07b)
(cherry picked from commit bd91cb862c4ceb3955c742d1c516e51733a19e6e)
-rw-r--r-- | source3/smbd/msdfs.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c index ab67ac8596d..3bdedb8651e 100644 --- a/source3/smbd/msdfs.c +++ b/source3/smbd/msdfs.c @@ -27,6 +27,7 @@ #include "smbd/globals.h" #include "msdfs.h" #include "auth.h" +#include "libcli/security/security.h" /********************************************************************** Parse a DFS pathname of the form \hostname\service\reqpath @@ -278,6 +279,35 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx, set_conn_connectpath(conn, connpath); + /* + * New code to check if there's a share security descripter + * added from NT server manager. This is done after the + * smb.conf checks are done as we need a uid and token. JRA. + * + */ + if (conn->session_info) { + share_access_check(conn->session_info->security_token, + lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS, + &conn->share_access); + + if ((conn->share_access & FILE_WRITE_DATA) == 0) { + if ((conn->share_access & FILE_READ_DATA) == 0) { + /* No access, read or write. */ + DEBUG(0,("create_conn_struct: connection to %s " + "denied due to security " + "descriptor.\n", + lp_servicename(snum))); + conn_free(conn); + return NT_STATUS_ACCESS_DENIED; + } else { + conn->read_only = true; + } + } + } else { + conn->share_access = 0; + conn->read_only = true; + } + if (!smbd_vfs_init(conn)) { NTSTATUS status = map_nt_error_from_unix(errno); DEBUG(0,("create_conn_struct: smbd_vfs_init failed.\n")); |