Don't rely on the underlying ACL modules to enforce share level

security when setting ACLs, check at the call level as well.

Jeremy.

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 78774dc1b08e2d5667e6140add532f4813a75263..1e4e06cf26025a743144f9157bdb764c5d81c77a 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1967,6 +1967,11 @@ static void call_nt_transact_set_security_desc(connection_struct *conn,
                return;
        }
 
+       if (!CAN_WRITE(fsp->conn)) {
+               reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+               return;
+       }
+
        if(!lp_nt_acl_support(SNUM(conn))) {
                goto done;
        }

diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 3e1bdd2771278c05ae700d6161bbbde03496bbff..4b837c13b32489a932da2b0656db3d281747e4ec 100644 (file)
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -311,6 +311,11 @@ static struct tevent_req *smbd_smb2_setinfo_send(TALLOC_CTX *mem_ctx,
 
        case 0x03:/* SMB2_SETINFO_SECURITY */
        {
+               if (!CAN_WRITE(conn)) {
+                       tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+                       return tevent_req_post(req, ev);
+               }
+
                status = set_sd(fsp,
                                in_input_buffer.data,
                                in_input_buffer.length,