Remove can_access_file_acl(). We no longer need this duplicate code (hurrah!).

diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index cc7488681049c5465f00c16bbbd33164bbc78294..8af0dad8c3a6b92287719a7c1ee7abb07bbab9f0 100644 (file)
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -1161,7 +1161,9 @@ static bool user_can_read_file(connection_struct *conn,
                return True;
        }
 
-       return can_access_file_acl(conn, smb_fname, FILE_READ_DATA);
+       return NT_STATUS_IS_OK(smbd_check_access_rights(conn,
+                               smb_fname,
+                               FILE_READ_DATA));
 }
 
 /*******************************************************************

diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c
index 81cb7bd43f1ed8c7732da9ada0d454c0ba04a941..ae13a0a2a5d39b539475120be08ace66e6d599eb 100644 (file)
--- a/source3/smbd/file_access.c
+++ b/source3/smbd/file_access.c
@@ -27,53 +27,6 @@
 #undef  DBGC_CLASS
 #define DBGC_CLASS DBGC_ACLS
 
-/**
- * Security descriptor / NT Token level access check function.
- */
-bool can_access_file_acl(struct connection_struct *conn,
-                        const struct smb_filename *smb_fname,
-                        uint32_t access_mask)
-{
-       NTSTATUS status;
-       uint32_t access_granted;
-       struct security_descriptor *secdesc = NULL;
-       bool ret;
-
-       if (get_current_uid(conn) == (uid_t)0) {
-               /* I'm sorry sir, I didn't know you were root... */
-               return true;
-       }
-
-       status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
-                                   (SECINFO_OWNER |
-                                    SECINFO_GROUP |
-                                    SECINFO_DACL),
-                                   &secdesc);
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(5, ("Could not get acl: %s\n", nt_errstr(status)));
-               ret = false;
-               goto out;
-       }
-
-       status = se_access_check(secdesc, get_current_nttok(conn),
-                                access_mask, &access_granted);
-       ret = NT_STATUS_IS_OK(status);
-
-       if (DEBUGLEVEL >= 10) {
-               DEBUG(10,("can_access_file_acl for file %s "
-                       "access_mask 0x%x, access_granted 0x%x "
-                       "access %s\n",
-                       smb_fname_str_dbg(smb_fname),
-                       (unsigned int)access_mask,
-                       (unsigned int)access_granted,
-                       ret ? "ALLOWED" : "DENIED" ));
-               NDR_PRINT_DEBUG(security_descriptor, secdesc);
-       }
- out:
-       TALLOC_FREE(secdesc);
-       return ret;
-}
-
 /****************************************************************************
  Actually emulate the in-kernel access checking for delete access. We need
  this to successfully return ACCESS_DENIED on a file open for delete access.
@@ -169,7 +122,9 @@ bool can_delete_file_in_directory(connection_struct *conn,
         * check the file DELETE permission separately.
         */
 
-       ret = can_access_file_acl(conn, smb_fname_parent, FILE_DELETE_CHILD);
+       ret = NT_STATUS_IS_OK(smbd_check_access_rights(conn,
+                               smb_fname_parent,
+                               FILE_DELETE_CHILD));
  out:
        TALLOC_FREE(dname);
        TALLOC_FREE(smb_fname_parent);

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index a1a247fca26436dafca63adb392d7cbed1347455..eb9f13e22c4e7c49192c7c9eb2a3a549a0978996 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3266,7 +3266,9 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
        if ((create_disposition != FILE_CREATE)
            && (access_mask & DELETE_ACCESS)
            && (!(can_delete_file_in_directory(conn, smb_fname) ||
-                can_access_file_acl(conn, smb_fname, DELETE_ACCESS)))) {
+                NT_STATUS_IS_OK(smbd_check_access_rights(conn,
+                               smb_fname,
+                               DELETE_ACCESS))))) {
                status = NT_STATUS_ACCESS_DENIED;
                DEBUG(10,("create_file_unixpath: open file %s "
                          "for delete ACCESS_DENIED\n",

diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 0b7c28fb9112b538594eff18154d9cda677f17cf..0a68a6c3183bb7f0207216b89a19417ffc9a60ea 100644 (file)
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -303,14 +303,8 @@ void reply_openerror(struct smb_request *req, NTSTATUS status);
 
 /* The following definitions come from smbd/file_access.c  */
 
-bool can_access_file_acl(struct connection_struct *conn,
-                        const struct smb_filename *smb_fname,
-                        uint32_t access_mask);
 bool can_delete_file_in_directory(connection_struct *conn,
                                  const struct smb_filename *smb_fname);
-bool can_access_file_data(connection_struct *conn,
-                         const struct smb_filename *smb_fname,
-                         uint32 access_mask);
 bool can_write_to_file(connection_struct *conn,
                       const struct smb_filename *smb_fname);
 bool directory_has_default_acl(connection_struct *conn, const char *fname);