[SCM] Samba Shared Repository - branch master updated

Tue, 13 Jul 2021 01:12:19 -0700 

The branch, master has been updated
       via  0657db26447 s3: smbd: Explicitly code the semantics of "dos 
filemode" into the chown code.
      from  147dd9d58a4 libcli/smb: let smb2_negotiate_context_parse() only 
parse the expected number of contexts

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0657db26447ad9b0d2130fe07163e953eba2bcc2
Author: Jeremy Allison <j...@samba.org>
Date:   Mon Jun 28 13:54:52 2021 -0700

    s3: smbd: Explicitly code the semantics of "dos filemode" into the chown 
code.
    
    We actually don't need this to get the right semantics, as the open or the
    set_sd() code catches the correct cases and returns ACCESS_DENIED, but it
    makes me much happier to see the prerequisites needed expressed in code here
    right at the point of use.
    
    Signed-off-by: Jeremy Allison <j...@samba.org>
    Reviewed-by: Ralph Boehme <s...@samba.org>
    
    Autobuild-User(master): Ralph Böhme <s...@samba.org>
    Autobuild-Date(master): Tue Jul 13 08:11:36 UTC 2021 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/posix_acls.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 8bfaea27e39..899e7dc3c1e 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3440,9 +3440,24 @@ NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t 
gid)
        }
 
        /* Case (4). */
+       /* If "dos filemode" isn't set, we're done. */
        if (!lp_dos_filemode(SNUM(fsp->conn))) {
                return NT_STATUS_ACCESS_DENIED;
        }
+       /*
+        * If we have a writable handle, obviously we
+        * can write to the file.
+        */
+       if (!fsp->fsp_flags.can_write) {
+               /*
+                * If we don't have a writable handle, we
+                * need to read the ACL on the file to
+                * see if we can write to it.
+                */
+               if (!can_write_to_fsp(fsp)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+       }
 
        /* only allow chown to the current user. This is more secure,
           and also copes with the case where the SID in a take ownership ACL is


-- 
Samba Shared Repository

Reply via email to