*/
#include "includes.h"
+#include "printing.h"
#include "smbd/globals.h"
+#include "fake_file.h"
#include "librpc/gen_ndr/messaging.h"
+#include "../libcli/security/security.h"
#include "../librpc/gen_ndr/ndr_security.h"
extern const struct generic_mapping file_generic_mapping;
NTSTATUS smb1_file_se_access_check(struct connection_struct *conn,
const struct security_descriptor *sd,
- const NT_USER_TOKEN *token,
+ const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted)
{
status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
(SECINFO_OWNER |
- GROUP_SECURITY_INFORMATION |
- DACL_SECURITY_INFORMATION),&sd);
+ SECINFO_GROUP |
+ SECINFO_DACL),&sd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("smbd_check_open_rights: Could not get acl "
}
#if defined(DEVELOPER)
-static void validate_my_share_entries(int num,
+static void validate_my_share_entries(struct smbd_server_connection *sconn,
+ int num,
struct share_mode_entry *share_entry)
{
files_struct *fsp;
return;
}
- fsp = file_find_dif(share_entry->id,
+ fsp = file_find_dif(sconn, share_entry->id,
share_entry->share_file_id);
if (!fsp) {
DEBUG(0,("validate_my_share_entries: PANIC : %s\n",
#if defined(DEVELOPER)
for(i = 0; i < lck->num_share_modes; i++) {
- validate_my_share_entries(i, &lck->share_modes[i]);
+ validate_my_share_entries(conn->sconn, i,
+ &lck->share_modes[i]);
}
#endif
exclusive->op_type | FORCE_OPLOCK_BREAK_TO_NONE);
}
- status = messaging_send_buf(smbd_messaging_context(), exclusive->pid,
+ status = messaging_send_buf(fsp->conn->sconn->msg_ctx, exclusive->pid,
MSG_SMB_BREAK_REQUEST,
(uint8 *)msg,
MSG_SMB_SHARE_MODE_ENTRY_SIZE);
state->id, (char *)state, sizeof(*state))) {
exit_server("push_deferred_open_message_smb failed");
}
- add_deferred_open(lck, req->mid, request_time, state->id);
+ add_deferred_open(lck, req->mid, request_time,
+ sconn_server_id(req->sconn), state->id);
}
DEBUG(5,("fcb_or_dos_open: attempting old open semantics for "
"file %s.\n", smb_fname_str_dbg(smb_fname)));
- for(fsp = file_find_di_first(id); fsp;
+ for(fsp = file_find_di_first(conn->sconn, id); fsp;
fsp = file_find_di_next(fsp)) {
DEBUG(10,("fcb_or_dos_open: checking file %s, fd = %d, "
status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
(SECINFO_OWNER |
- GROUP_SECURITY_INFORMATION |
- DACL_SECURITY_INFORMATION),&sd);
+ SECINFO_GROUP |
+ SECINFO_DACL),&sd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("calculate_access_mask: Could not get acl "
Remove the deferred open entry under lock.
****************************************************************************/
-void remove_deferred_open_entry(struct file_id id, uint64_t mid)
+void remove_deferred_open_entry(struct file_id id, uint64_t mid,
+ struct server_id pid)
{
struct share_mode_lock *lck = get_share_mode_lock(talloc_tos(), id,
NULL, NULL, NULL);
if (lck == NULL) {
DEBUG(0, ("could not get share mode lock\n"));
} else {
- del_deferred_open_entry(lck, mid);
+ del_deferred_open_entry(lck, mid, pid);
TALLOC_FREE(lck);
}
}
ZERO_STRUCT(id);
+ /* Windows allows a new file to be created and
+ silently removes a FILE_ATTRIBUTE_DIRECTORY
+ sent by the client. Do the same. */
+
+ new_dos_attributes &= ~FILE_ATTRIBUTE_DIRECTORY;
+
if (conn->printer) {
/*
* Printers are handled completely differently.
return NT_STATUS_INTERNAL_ERROR;
}
- return print_fsp_open(req, conn, smb_fname->base_name,
- req->vuid, fsp);
+ return print_spool_open(fsp, smb_fname->base_name,
+ req->vuid);
}
if (!parent_dirname(talloc_tos(), smb_fname->base_name, &parent_dir,
see if this has timed out. */
/* Remove the deferred open entry under lock. */
- remove_deferred_open_entry(state->id, req->mid);
+ remove_deferred_open_entry(
+ state->id, req->mid,
+ sconn_server_id(req->sconn));
/* Ensure we don't reprocess this message. */
remove_deferred_open_message_smb(req->mid);
if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) &&
(def_acl = directory_has_default_acl(conn, parent_dir))) {
- unx_mode = 0777;
+ unx_mode = (0777 & lp_create_mask(SNUM(conn)));
}
DEBUG(4,("calling open_file with flags=0x%X flags2=0x%X mode=0%o, "
* If requested, truncate the file.
*/
- if (flags2&O_TRUNC) {
+ if (file_existed && (flags2&O_TRUNC)) {
/*
* We are modifing the file after open - update the stat
* struct..
/* If this is a successful open, we must remove any deferred open
* records. */
if (req != NULL) {
- del_deferred_open_entry(lck, req->mid);
+ del_deferred_open_entry(lck, req->mid,
+ sconn_server_id(req->sconn));
}
TALLOC_FREE(lck);
SMB_ASSERT(!is_ntfs_stream_smb_fname(smb_dname));
+ /* Ensure we have a directory attribute. */
+ file_attributes |= FILE_ATTRIBUTE_DIRECTORY;
+
DEBUG(5,("open_directory: opening directory %s, access_mask = 0x%x, "
"share_access = 0x%x create_options = 0x%x, "
"create_disposition = 0x%x, file_attributes = 0x%x\n",
return status;
}
- /* We need to support SeSecurityPrivilege for this. */
- if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
+ if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &
+ !security_token_has_privilege(get_current_nttok(conn),
+ SEC_PRIV_SECURITY)) {
DEBUG(10, ("open_directory: open on %s "
"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
smb_fname_str_dbg(smb_dname)));
struct server_id server_id,
DATA_BLOB *data)
{
+ struct smbd_server_connection *sconn;
files_struct *fsp;
char *frm = (char *)data->data;
struct file_id id;
size_t sp_len, bn_len;
NTSTATUS status;
+ sconn = msg_ctx_to_sconn(msg);
+ if (sconn == NULL) {
+ DEBUG(1, ("could not find sconn\n"));
+ return;
+ }
+
if (data->data == NULL
|| data->length < MSG_FILE_RENAMED_MIN_SIZE + 2) {
DEBUG(0, ("msg_file_was_renamed: Got invalid msg len %d\n",
sharepath, smb_fname_str_dbg(smb_fname),
file_id_string_tos(&id)));
- for(fsp = file_find_di_first(id); fsp; fsp = file_find_di_next(fsp)) {
+ for(fsp = file_find_di_first(sconn, id); fsp;
+ fsp = file_find_di_next(fsp)) {
if (memcmp(fsp->conn->connectpath, sharepath, sp_len) == 0) {
DEBUG(10,("msg_file_was_renamed: renaming file fnum %d from %s -> %s\n",
goto fail;
}
-#if 0
- /* We need to support SeSecurityPrivilege for this. */
if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
- !user_has_privileges(current_user.nt_user_token,
- &se_security)) {
- status = NT_STATUS_PRIVILEGE_NOT_HELD;
- goto fail;
- }
-#else
- /* We need to support SeSecurityPrivilege for this. */
- if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
- status = NT_STATUS_PRIVILEGE_NOT_HELD;
- goto fail;
- }
- /* Don't allow a SACL set from an NTtrans create until we
- * support SeSecurityPrivilege. */
- if (!VALID_STAT(smb_fname->st) &&
- lp_nt_acl_support(SNUM(conn)) &&
- sd && (sd->sacl != NULL)) {
+ !security_token_has_privilege(get_current_nttok(conn),
+ SEC_PRIV_SECURITY)) {
+ DEBUG(10, ("create_file_unixpath: open on %s "
+ "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
+ smb_fname_str_dbg(smb_fname)));
status = NT_STATUS_PRIVILEGE_NOT_HELD;
goto fail;
}
-#endif
if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
&& is_ntfs_stream_smb_fname(smb_fname)
security_acl_map_generic(sd->sacl, &file_generic_mapping);
if (sec_info_sent & (SECINFO_OWNER|
- GROUP_SECURITY_INFORMATION|
- DACL_SECURITY_INFORMATION|
- SACL_SECURITY_INFORMATION)) {
+ SECINFO_GROUP|
+ SECINFO_DACL|
+ SECINFO_SACL)) {
status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd);
}
git.samba.org / abartlet / samba.git / .git / blobdiff