From 46e4596f82c5dce4656b0a23545a4b38637097f5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 22 Oct 2010 17:11:17 -0700 Subject: [PATCH] Canonicalize incoming and outgoing ACLs. Jeremy. (cherry picked from commit b01501af60d364ce7e7c96b7e4b93502c453ac6d) --- source3/smbd/nttrans.c | 63 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 59 insertions(+), 4 deletions(-) diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 913921357f3..d311cc32684 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -833,7 +833,15 @@ static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len, SEC_DESC *psd = NULL; NTSTATUS status; - if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) { + if (sd_len == 0) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!CAN_WRITE(fsp->conn)) { + return NT_STATUS_ACCESS_DENIED; + } + + if (!lp_nt_acl_support(SNUM(fsp->conn))) { return NT_STATUS_OK; } @@ -850,9 +858,43 @@ static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len, security_info_sent &= ~GROUP_SECURITY_INFORMATION; } - /* Convert all the generic bits. */ - security_acl_map_generic(psd->dacl, &file_generic_mapping); - security_acl_map_generic(psd->sacl, &file_generic_mapping); + /* Ensure we have at least one thing set. */ + if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* Ensure we have the rights to do this. */ + if (security_info_sent & SECINFO_OWNER) { + if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) { + return NT_STATUS_ACCESS_DENIED; + } + } + + if (security_info_sent & SECINFO_GROUP) { + if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) { + return NT_STATUS_ACCESS_DENIED; + } + } + + if (security_info_sent & SECINFO_DACL) { + if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) { + return NT_STATUS_ACCESS_DENIED; + } + /* Convert all the generic bits. */ + if (psd->dacl) { + security_acl_map_generic(psd->dacl, &file_generic_mapping); + } + } + + if (security_info_sent & SECINFO_SACL) { + if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) { + return NT_STATUS_ACCESS_DENIED; + } + /* Convert all the generic bits. */ + if (psd->sacl) { + security_acl_map_generic(psd->sacl, &file_generic_mapping); + } + } if (DEBUGLEVEL >= 10) { DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp))); @@ -1806,6 +1848,19 @@ static void call_nt_transact_query_security_desc(connection_struct *conn, return; } + if (!(security_info_wanted & SECINFO_OWNER)) { + psd->owner_sid = NULL; + } + if (!(security_info_wanted & SECINFO_GROUP)) { + psd->group_sid = NULL; + } + if (!(security_info_wanted & SECINFO_DACL)) { + psd->dacl = NULL; + } + if (!(security_info_wanted & SECINFO_SACL)) { + psd->sacl = NULL; + } + /* If the SACL/DACL is NULL, but was requested, we mark that it is * present in the reply to match Windows behavior */ if (psd->sacl == NULL && -- 2.34.1