From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 10 Jul 2011 11:03:51 +0000 (+0200)
Subject: s3:smbd: check the share level access mask in smbd_calculate_access_mask()
X-Git-Url: http://git.samba.org/?p=metze%2Fsamba%2Fwip.git;a=commitdiff_plain;h=896f105ed40dc04f83bcbfac367b309c8d957f86

s3:smbd: check the share level access mask in smbd_calculate_access_mask()

I think we should reject invalid access early,
before we might create new files.

Also smbd_check_open_rights() is only called if the file existed.

metze
---

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 96faf0f4b79d..5bbcf1e616a7 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1530,6 +1530,8 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
 				    uint32_t *access_mask_out)
 {
 	NTSTATUS status;
+	uint32_t orig_access_mask = access_mask;
+	uint32_t rejected_share_access;
 
 	/*
 	 * Convert GENERIC bits to specific bits.
@@ -1577,6 +1579,21 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
 		} else {
 			access_mask = FILE_GENERIC_ALL;
 		}
+
+		access_mask &= conn->share_access;
+	}
+
+	rejected_share_access = access_mask & ~(conn->share_access);
+
+	if (rejected_share_access) {
+		DEBUG(10, ("smbd_calculate_access_mask: Access denied on "
+			"file %s: rejected by share access mask[0x%08X] "
+			"orig[0x%08X] mapped[0x%08X] reject[0x%08X]\n",
+			smb_fname_str_dbg(smb_fname),
+			conn->share_access,
+			orig_access_mask, access_mask,
+			rejected_share_access));
+		return NT_STATUS_ACCESS_DENIED;
 	}
 
 	*access_mask_out = access_mask;