git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3f749ac)
s3:smbd: ease file server upgrades from 3.6 and earlier with "acl allow execute aways"
authorMichael Adam <obnox@samba.org>
Mon, 2 Sep 2013 15:37:50 +0000 (17:37 +0200)
committerKarolin Seeger <kseeger@samba.org>
Thu, 12 Sep 2013 07:10:10 +0000 (09:10 +0200)
3.6 and earlier allowed open for execution when execute permissions are
not present on a file. This has been fixed in Samba 4.0.

This patch changes smbd to skip the execute bit from the ACL check
in the open code if "acl allow execute always = yes", hence
re-establishing the old behaviour in this case.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit 1e29d730663382875d96c275c60e022a1c33a2d1)

source3/smbd/open.c patch | blob | history

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 53f8b8e093583daa8a966ae76fd9f5e1390e1b1a..dcf6bb555f0c7d69e9da78092714eab66b6fa5bb 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -76,6 +76,7 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
        struct security_descriptor *sd = NULL;
        uint32_t rejected_share_access;
        uint32_t rejected_mask = access_mask;
+       uint32_t do_not_check_mask = 0;
 
        rejected_share_access = access_mask & ~(conn->share_access);
 
@@ -143,10 +144,23 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
         * se_file_access_check() also takes care of
         * owner WRITE_DAC and READ_CONTROL.
         */
+       do_not_check_mask = FILE_READ_ATTRIBUTES;
+
+       /*
+        * Samba 3.6 and earlier granted execute access even
+        * if the ACL did not contain execute rights.
+        * Samba 4.0 is more correct and checks it.
+        * The compatibilty mode allows to skip this check
+        * to smoothen upgrades.
+        */
+       if (lp_acl_allow_execute_always(SNUM(conn))) {
+               do_not_check_mask |= FILE_EXECUTE;
+       }
+
        status = se_file_access_check(sd,
                                get_current_nttok(conn),
                                use_privs,
-                               (access_mask & ~FILE_READ_ATTRIBUTES),
+                               (access_mask & ~do_not_check_mask),
                                &rejected_mask);
 
        DEBUG(10,("smbd_check_access_rights: file %s requesting "
Samba Shared Repository