s3: Return "granted" from share_access_check

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 91905d3cbcb49b4aaddff9e5f05ce1224e10c772..c6fd47497825edb65fe293fdb5e4b3ce7b6b3769 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -244,8 +244,10 @@ struct security_descriptor *get_share_security( TALLOC_CTX *ctx, const char *ser
                              size_t *psize);
 bool set_share_security(const char *share_name, struct security_descriptor *psd);
 bool delete_share_security(const char *servicename);
-bool share_access_check(const struct security_token *token, const char *sharename,
-                       uint32 desired_access);
+bool share_access_check(const struct security_token *token,
+                       const char *sharename,
+                       uint32 desired_access,
+                       uint32_t *pgranted);
 bool parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, struct security_descriptor **ppsd);
 
 /* The following definitions come from lib/smbrun.c  */

diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
index ed971a97a6c834fc6e48dc075e768d30009c1540..0c06d7bbeee339f90e81b85eb061bfa634137b34 100644 (file)
--- a/source3/lib/sharesec.c
+++ b/source3/lib/sharesec.c
@@ -410,8 +410,10 @@ bool delete_share_security(const char *servicename)
  Can this user access with share with the required permissions ?
 ********************************************************************/
 
-bool share_access_check(const struct security_token *token, const char *sharename,
-                       uint32 desired_access)
+bool share_access_check(const struct security_token *token,
+                       const char *sharename,
+                       uint32 desired_access,
+                       uint32_t *pgranted)
 {
        uint32 granted;
        NTSTATUS status;
@@ -428,6 +430,10 @@ bool share_access_check(const struct security_token *token, const char *sharenam
 
        TALLOC_FREE(psd);
 
+       if (pgranted != NULL) {
+               *pgranted = granted;
+       }
+
        return NT_STATUS_IS_OK(status);
 }
 

diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
index 7299d4cb77799b4eb7faf1e278876accbc3497a7..7d52a761b6716bef89146c0ea6dbaea2214ce149 100644 (file)
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -541,8 +541,8 @@ static bool is_enumeration_allowed(struct pipes_struct *p,
     if (!lp_access_based_share_enum(snum))
         return true;
 
-    return share_access_check(p->session_info->security_token, lp_servicename(snum),
-                              FILE_READ_DATA);
+    return share_access_check(p->session_info->security_token,
+                             lp_servicename(snum), FILE_READ_DATA, NULL);
 }
 
 /*******************************************************************

diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 73c3c4f20c248472fe54cd935ebabc014fa3ea84..c1d4dd1799be240a959e1c551711212c7e4bcfba 100644 (file)
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -644,14 +644,15 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
        {
                bool can_write = False;
 
-               can_write = share_access_check(conn->session_info->security_token,
-                                              lp_servicename(snum),
-                                              FILE_WRITE_DATA);
+               can_write = share_access_check(
+                       conn->session_info->security_token,
+                       lp_servicename(snum), FILE_WRITE_DATA, NULL);
 
                if (!can_write) {
-                       if (!share_access_check(conn->session_info->security_token,
-                                               lp_servicename(snum),
-                                               FILE_READ_DATA)) {
+                       if (!share_access_check(
+                                   conn->session_info->security_token,
+                                   lp_servicename(snum), FILE_READ_DATA,
+                                   NULL)) {
                                /* No access, read or write. */
                                DEBUG(0,("make_connection: connection to %s "
                                         "denied due to security "

diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 285b158a191c6af78f58edc166ffe4a75ae57ad5..81141445740210d9dd6e717aa276e4baf0a57e09 100644 (file)
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -121,8 +121,9 @@ static bool check_user_ok(connection_struct *conn,
                conn);
 
        if (!readonly_share &&
-           !share_access_check(session_info->security_token, lp_servicename(snum),
-                               FILE_WRITE_DATA)) {
+           !share_access_check(session_info->security_token,
+                               lp_servicename(snum), FILE_WRITE_DATA,
+                               NULL)) {
                /* smb.conf allows r/w, but the security descriptor denies
                 * write. Fall back to looking at readonly. */
                readonly_share = True;
@@ -130,9 +131,11 @@ static bool check_user_ok(connection_struct *conn,
                         "security descriptor\n"));
        }
 
-       if (!share_access_check(session_info->security_token, lp_servicename(snum),
+       if (!share_access_check(session_info->security_token,
+                               lp_servicename(snum),
                                readonly_share ?
-                               FILE_READ_DATA : FILE_WRITE_DATA)) {
+                               FILE_READ_DATA : FILE_WRITE_DATA,
+                               NULL)) {
                return False;
        }