git.samba.org - samba.git/commit

author	Ralph Boehme <slow@samba.org>
	Thu, 21 Dec 2023 09:58:09 +0000 (10:58 +0100)
committer	Ralph Boehme <slow@samba.org>
	Mon, 8 Jan 2024 15:53:36 +0000 (15:53 +0000)
commit	bf497819e61131cfa6469971596af3aa9bd4bb49
tree	e04729aee2922d1cdb57527a9bc2f2b0ee3b19ef	tree
parent	96b577c380fa914eb1ffa95849c82bdb88aa1ec6	commit \| diff

smbd: fix check_any_access_fsp() for non-fsa fsps

smbd_check_access_rights_fsp() requires *all* rights in access_mask to
be granted by the underlying ACL, but the semantics of this function
is supposed to grant access if any one of the rights in
access_requested is allowed.

Fix this by looping over the requested access mask. If
smbd_check_access_rights_fsp() returns sucess, mask will be non-null
and when assigned to access_granted, the subsequent check will pass,
fail otherwise.

I'm not doing an early exit on purpose because a subsequent commit
adds additional security checks that are done in the subsequent code
path common for fsa and non-fsa fsps.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

source3/smbd/proto.h		diff \| blob \| history
source3/smbd/smb2_trans2.c		diff \| blob \| history