diff options
| author | Jeremy Allison <jra@samba.org> | 2010-02-17 10:46:21 -0800 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2010-02-24 16:25:10 +0100 |
| commit | c02aa2fb818762d6197255396c64e54be88d22a9 (patch) | |
| tree | 8e622c000a4fe94ffc92ccd80d60441cf25ab039 | |
| parent | 7cd8009598af1efa255418562f8b4f9bfdf6a9be (diff) | |
| download | samba-c02aa2fb818762d6197255396c64e54be88d22a9.tar.gz samba-c02aa2fb818762d6197255396c64e54be88d22a9.tar.xz samba-c02aa2fb818762d6197255396c64e54be88d22a9.zip | |
Fix bug #6557 - Do not work VFS full_audit
Re-arrange the operations order so SMB_VFS_CONNECT is done
first as root (to allow modules to correctly initialize themselves).
Reviewed modules to check if they needed CONNECT invoked as
a user (which we previously did) and it turns out any of them
that cared needed root permissions anyway.
Jeremy.
(cherry picked from commit 20b6d0406f0f72895f99636beee7a370195147fd)
| -rw-r--r-- | source/smbd/service.c | 34 |
1 files changed, 16 insertions, 18 deletions
diff --git a/source/smbd/service.c b/source/smbd/service.c index 7ba1043c7bc..8c9d75d1e9d 100644 --- a/source/smbd/service.c +++ b/source/smbd/service.c @@ -720,7 +720,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, fstring dev; int ret; char addr[INET6_ADDRSTRLEN]; - bool on_err_call_dis_hook = false; NTSTATUS status; fstrcpy(dev, pdev); @@ -958,6 +957,18 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, return NULL; } + /* Invoke VFS make connection hook - must be the first + VFS operation we do. */ + + if (SMB_VFS_CONNECT(conn, lp_servicename(snum), + conn->server_info->unix_name) < 0) { + DEBUG(0,("make_connection: VFS make connection failed!\n")); + yield_connection(conn, lp_servicename(snum)); + conn_free(conn); + *pstatus = NT_STATUS_UNSUCCESSFUL; + return NULL; + } + /* * Fix compatibility issue pointed out by Volker. * We pass the conn->connectpath to the preexec @@ -988,6 +999,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, if (ret != 0 && lp_rootpreexec_close(snum)) { DEBUG(1,("root preexec gave %d - failing " "connection\n", ret)); + SMB_VFS_DISCONNECT(conn); yield_connection(conn, lp_servicename(snum)); conn_free(conn); *pstatus = NT_STATUS_ACCESS_DENIED; @@ -999,6 +1011,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, if (!change_to_user(conn, conn->vuid)) { /* No point continuing if they fail the basic checks */ DEBUG(0,("Can't become connected user!\n")); + SMB_VFS_DISCONNECT(conn); yield_connection(conn, lp_servicename(snum)); conn_free(conn); *pstatus = NT_STATUS_LOGON_FAILURE; @@ -1064,19 +1077,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, lp_aio_write_behind(snum)); } - /* Invoke VFS make connection hook - do this before the VFS_STAT call - to allow any filesystems needing user credentials to initialize - themselves. */ - - if (SMB_VFS_CONNECT(conn, lp_servicename(snum), - conn->server_info->unix_name) < 0) { - DEBUG(0,("make_connection: VFS make connection failed!\n")); - *pstatus = NT_STATUS_UNSUCCESSFUL; - goto err_root_exit; - } - - /* Any error exit after here needs to call the disconnect hook. */ - on_err_call_dis_hook = true; /* win2000 does not check the permissions on the directory during the tree connect, instead relying on permission @@ -1149,10 +1149,8 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, err_root_exit: change_to_root_user(); - if (on_err_call_dis_hook) { - /* Call VFS disconnect hook */ - SMB_VFS_DISCONNECT(conn); - } + /* Call VFS disconnect hook */ + SMB_VFS_DISCONNECT(conn); yield_connection(conn, lp_servicename(snum)); conn_free(conn); return NULL; |