From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 11 Jul 2011 16:09:44 +0000 (+0200)
Subject: s3:smbd/msdfs: let create_conn_struct() check the share security descriptor
X-Git-Url: http://git.samba.org/?p=metze%2Fsamba%2Fwip.git;a=commitdiff_plain;h=18f967a24881aa899b39f7676fc70a7f7aaca07b

s3:smbd/msdfs: let create_conn_struct() check the share security descriptor

metze
---

diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index 31c5a2d07a6a..4629a39aa39d 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -28,6 +28,7 @@
 #include "msdfs.h"
 #include "auth.h"
 #include "lib/param/loadparm.h"
+#include "libcli/security/security.h"
 
 /**********************************************************************
  Parse a DFS pathname of the form \hostname\service\reqpath
@@ -279,6 +280,35 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
 
 	set_conn_connectpath(conn, connpath);
 
+	/*
+	 * New code to check if there's a share security descripter
+	 * added from NT server manager. This is done after the
+	 * smb.conf checks are done as we need a uid and token. JRA.
+	 *
+	 */
+	if (conn->session_info) {
+		share_access_check(conn->session_info->security_token,
+				   lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS,
+				   &conn->share_access);
+
+		if ((conn->share_access & FILE_WRITE_DATA) == 0) {
+			if ((conn->share_access & FILE_READ_DATA) == 0) {
+				/* No access, read or write. */
+				DEBUG(0,("create_conn_struct: connection to %s "
+					 "denied due to security "
+					 "descriptor.\n",
+					 lp_servicename(snum)));
+				conn_free(conn);
+				return NT_STATUS_ACCESS_DENIED;
+			} else {
+				conn->read_only = true;
+			}
+		}
+	} else {
+		conn->share_access = 0;
+		conn->read_only = true;
+	}
+
 	if (!smbd_vfs_init(conn)) {
 		NTSTATUS status = map_nt_error_from_unix(errno);
 		DEBUG(0,("create_conn_struct: smbd_vfs_init failed.\n"));