s3: Return "granted" from share_access_check

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1c022d2e414607633323e65abbc63bb3aeaaa6a4)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index d0725021b324941498067acef3f21a321d210cd5..6291f111abbc9836750404bf65cb4dcf64ec885f 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -329,8 +329,10 @@ struct security_descriptor *get_share_security( TALLOC_CTX *ctx, const char *ser
                              size_t *psize);
 bool set_share_security(const char *share_name, struct security_descriptor *psd);
 bool delete_share_security(const char *servicename);
-bool share_access_check(const struct security_token *token, const char *sharename,
-                       uint32 desired_access);
+bool share_access_check(const struct security_token *token,
+                       const char *sharename,
+                       uint32 desired_access,
+                       uint32_t *pgranted);
 bool parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, struct security_descriptor **ppsd);
 
 /* The following definitions come from lib/smbrun.c  */

diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
index c2494e2293a1501783c8a1e5c6f6713a8e05c20c..410fc1336b0f76553660db567a7cd34c2d21c7e7 100644 (file)
--- a/source3/lib/sharesec.c
+++ b/source3/lib/sharesec.c
@@ -410,8 +410,10 @@ bool delete_share_security(const char *servicename)
  Can this user access with share with the required permissions ?
 ********************************************************************/
 
-bool share_access_check(const struct security_token *token, const char *sharename,
-                       uint32 desired_access)
+bool share_access_check(const struct security_token *token,
+                       const char *sharename,
+                       uint32 desired_access,
+                       uint32_t *pgranted)
 {
        uint32 granted;
        NTSTATUS status;
@@ -428,6 +430,10 @@ bool share_access_check(const struct security_token *token, const char *sharenam
 
        TALLOC_FREE(psd);
 
+       if (pgranted != NULL) {
+               *pgranted = granted;
+       }
+
        return NT_STATUS_IS_OK(status);
 }
 

diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
index 472a31860e50511d54155217cdbf824ff5defb8b..a078395b2fea413a334ff087a616abf92bd7ee3d 100644 (file)
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -539,8 +539,8 @@ static bool is_enumeration_allowed(struct pipes_struct *p,
     if (!lp_access_based_share_enum(snum))
         return true;
 
-    return share_access_check(p->session_info->security_token, lp_servicename(snum),
-                              FILE_READ_DATA);
+    return share_access_check(p->session_info->security_token,
+                             lp_servicename(snum), FILE_READ_DATA, NULL);
 }
 
 /*******************************************************************

diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index a8cd756f38ddb77c8b1b1cf875fe613fcfb6a2d5..6c147b26b5ba7bc95fd398decdd4a0b24b643dcc 100644 (file)
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -856,14 +856,15 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
        {
                bool can_write = False;
 
-               can_write = share_access_check(conn->session_info->security_token,
-                                              lp_servicename(snum),
-                                              FILE_WRITE_DATA);
+               can_write = share_access_check(
+                       conn->session_info->security_token,
+                       lp_servicename(snum), FILE_WRITE_DATA, NULL);
 
                if (!can_write) {
-                       if (!share_access_check(conn->session_info->security_token,
-                                               lp_servicename(snum),
-                                               FILE_READ_DATA)) {
+                       if (!share_access_check(
+                                   conn->session_info->security_token,
+                                   lp_servicename(snum), FILE_READ_DATA,
+                                   NULL)) {
                                /* No access, read or write. */
                                DEBUG(0,("make_connection: connection to %s "
                                         "denied due to security "

diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 7b04713bab68db1640fb89a84223452ee7591f67..7a48cb2945cc3c852c4466b8f75f044d5b0d1c2b 100644 (file)
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -121,8 +121,9 @@ static bool check_user_ok(connection_struct *conn,
                conn);
 
        if (!readonly_share &&
-           !share_access_check(session_info->security_token, lp_servicename(snum),
-                               FILE_WRITE_DATA)) {
+           !share_access_check(session_info->security_token,
+                               lp_servicename(snum), FILE_WRITE_DATA,
+                               NULL)) {
                /* smb.conf allows r/w, but the security descriptor denies
                 * write. Fall back to looking at readonly. */
                readonly_share = True;
@@ -130,9 +131,11 @@ static bool check_user_ok(connection_struct *conn,
                         "security descriptor\n"));
        }
 
-       if (!share_access_check(session_info->security_token, lp_servicename(snum),
+       if (!share_access_check(session_info->security_token,
+                               lp_servicename(snum),
                                readonly_share ?
-                               FILE_READ_DATA : FILE_WRITE_DATA)) {
+                               FILE_READ_DATA : FILE_WRITE_DATA,
+                               NULL)) {
                return False;
        }