s3: smbd: When writing a security descriptor SACL, ensure both SEC_FLAG_SYSTEM_SECURI...

smbtorture3 SMB2-SACL tests this against Windows10 (and Samba).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index f7e313d6edf3d53ffb7f7589dfc7ac69b3ad9e5f..66bcebf1313dd67c6ce73b2b48c605d2e1d838a0 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -950,6 +950,13 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
                if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
                        return NT_STATUS_ACCESS_DENIED;
                }
+               /*
+                * Setting a SACL also requires WRITE_DAC.
+                * See the smbtorture3 SMB2-SACL test.
+                */
+               if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
                /* Convert all the generic bits. */
                if (psd->sacl) {
                        security_acl_map_generic(psd->sacl, &file_generic_mapping);