s3: smbd: Refuse open in create_file_unixpath() with only SEC_FLAG_SYSTEM_SECURITY...

We now pass smbtorture3 SMB2-SACL like Windows 10 does.
Note this is an SMB2-only behavior. SMB1 allows an open
with only SEC_FLAG_SYSTEM_SECURITY set as tested in
smbtorture3 SMB1-SYSTEM-SECURITY.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 21 20:17:10 UTC 2020 on sn-devel-184

diff --git a/selftest/knownfail.d/sacl_set_get b/selftest/knownfail.d/sacl_set_get
deleted file mode 100644 (file)
index 6aee383..0000000
--- a/selftest/knownfail.d/sacl_set_get
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba3.blackbox.sacl_get_set.SACL set_get\(fileserver\)
-

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index d4c77602daf0151c0beac1a37654a358ec693cd0..ecb46d752155fcb1511851e46be871706fe5b999 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -5432,6 +5432,21 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
                        status = NT_STATUS_PRIVILEGE_NOT_HELD;
                        goto fail;
                }
+
+               if (conn->sconn->using_smb2 &&
+                   (access_mask == SEC_FLAG_SYSTEM_SECURITY))
+               {
+                       /*
+                        * No other bits set. Windows SMB2 refuses this.
+                        * See smbtorture3 SMB2-SACL test.
+                        *
+                        * Note this is an SMB2-only behavior,
+                        * smbtorture3 SMB1-SYSTEM-SECURITY already tests
+                        * that SMB1 allows this.
+                        */
+                       status = NT_STATUS_ACCESS_DENIED;
+                       goto fail;
+               }
        }
 
        /*