Canonicalize incoming and outgoing ACLs.

Jeremy.
(cherry picked from commit b01501af60d364ce7e7c96b7e4b93502c453ac6d)

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 913921357f3ec5e9eada9bea3ace6d9d43608e00..d311cc32684b20149f0e90c45dc6bf7994dd9de3 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -833,7 +833,15 @@ static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len,
        SEC_DESC *psd = NULL;
        NTSTATUS status;
 
-       if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) {
+       if (sd_len == 0) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       if (!CAN_WRITE(fsp->conn)) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       if (!lp_nt_acl_support(SNUM(fsp->conn))) {
                return NT_STATUS_OK;
        }
 
@@ -850,9 +858,43 @@ static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len,
                security_info_sent &= ~GROUP_SECURITY_INFORMATION;
        }
 
-       /* Convert all the generic bits. */
-       security_acl_map_generic(psd->dacl, &file_generic_mapping);
-       security_acl_map_generic(psd->sacl, &file_generic_mapping);
+       /* Ensure we have at least one thing set. */
+       if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       /* Ensure we have the rights to do this. */
+       if (security_info_sent & SECINFO_OWNER) {
+               if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+       }
+
+       if (security_info_sent & SECINFO_GROUP) {
+               if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+       }
+
+       if (security_info_sent & SECINFO_DACL) {
+               if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+               /* Convert all the generic bits. */
+               if (psd->dacl) {
+                       security_acl_map_generic(psd->dacl, &file_generic_mapping);
+               }
+       }
+
+       if (security_info_sent & SECINFO_SACL) {
+               if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+               /* Convert all the generic bits. */
+               if (psd->sacl) {
+                       security_acl_map_generic(psd->sacl, &file_generic_mapping);
+               }
+       }
 
        if (DEBUGLEVEL >= 10) {
                DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp)));
@@ -1806,6 +1848,19 @@ static void call_nt_transact_query_security_desc(connection_struct *conn,
                return;
        }
 
+       if (!(security_info_wanted & SECINFO_OWNER)) {
+               psd->owner_sid = NULL;
+       }
+       if (!(security_info_wanted & SECINFO_GROUP)) {
+               psd->group_sid = NULL;
+       }
+       if (!(security_info_wanted & SECINFO_DACL)) {
+               psd->dacl = NULL;
+       }
+       if (!(security_info_wanted & SECINFO_SACL)) {
+               psd->sacl = NULL;
+       }
+
        /* If the SACL/DACL is NULL, but was requested, we mark that it is
         * present in the reply to match Windows behavior */
        if (psd->sacl == NULL &&