Fix bug 7581 - Users in "admin users" in smb.conf file are unable to read/write all...

Correctly check admin users in smb1_file_se_access_check().

Jeremy.
(cherry picked from commit 383477789445d42d0d7451fea770c456625f16e1)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 9da40b0599ac866ee653fe2d686be30f15dfd2a7..4d3fb636ac6f8a1c4be0d877db98ee7b7cbbb87c 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -6583,7 +6583,8 @@ void reply_nttranss(struct smb_request *req);
 
 /* The following definitions come from smbd/open.c  */
 
-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
+NTSTATUS smb1_file_se_access_check(connection_struct *conn,
+                         const struct security_descriptor *sd,
                           const NT_USER_TOKEN *token,
                           uint32_t access_desired,
                           uint32_t *access_granted);

diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 10781c478c55e208d1e93b868607037dd8295ee0..abc4a62696ccff065bfa35af793d33dd2dc57a6a 100644 (file)
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -471,7 +471,8 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
                        nt_errstr(status) ));
                return status;
        }
-       status = smb1_file_se_access_check(parent_desc,
+       status = smb1_file_se_access_check(handle->conn,
+                                       parent_desc,
                                        handle->conn->server_info->ptok,
                                        access_mask,
                                        &access_granted);
@@ -535,7 +536,8 @@ static int open_acl_common(vfs_handle_struct *handle,
                                &pdesc);
         if (NT_STATUS_IS_OK(status)) {
                /* See if we can access it. */
-               status = smb1_file_se_access_check(pdesc,
+               status = smb1_file_se_access_check(handle->conn,
+                                       pdesc,
                                        handle->conn->server_info->ptok,
                                        fsp->access_mask,
                                        &access_granted);

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 120de0f21abcc59da61401f81ed49ebce7710ccc..1bf7e235c15e8ef0d3b6fe42ae9ad46bd50f6418 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -49,11 +49,23 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
  SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES.
 ****************************************************************************/
 
-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
+NTSTATUS smb1_file_se_access_check(connection_struct *conn,
+                         const struct security_descriptor *sd,
                           const NT_USER_TOKEN *token,
                           uint32_t access_desired,
                           uint32_t *access_granted)
 {
+       *access_granted = 0;
+
+       if (conn->server_info->utok.uid == 0 || conn->admin_user) {
+               /* I'm sorry sir, I didn't know you were root... */
+               *access_granted = access_desired;
+               if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+                       *access_granted |= FILE_GENERIC_ALL;
+               }
+               return NT_STATUS_OK;
+       }
+
        return se_access_check(sd,
                                token,
                                (access_desired & ~FILE_READ_ATTRIBUTES),
@@ -73,17 +85,6 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
        NTSTATUS status;
        struct security_descriptor *sd = NULL;
 
-       *access_granted = 0;
-
-       if (conn->server_info->utok.uid == 0 || conn->admin_user) {
-               /* I'm sorry sir, I didn't know you were root... */
-               *access_granted = access_mask;
-               if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
-                       *access_granted |= FILE_GENERIC_ALL;
-               }
-               return NT_STATUS_OK;
-       }
-
        status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
                        (OWNER_SECURITY_INFORMATION |
                        GROUP_SECURITY_INFORMATION |
@@ -97,7 +98,8 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
                return status;
        }
 
-       status = smb1_file_se_access_check(sd,
+       status = smb1_file_se_access_check(conn,
+                               sd,
                                conn->server_info->ptok,
                                access_mask,
                                access_granted);
@@ -1412,7 +1414,8 @@ static NTSTATUS calculate_access_mask(connection_struct *conn,
                                return NT_STATUS_ACCESS_DENIED;
                        }
 
-                       status = smb1_file_se_access_check(sd,
+                       status = smb1_file_se_access_check(conn,
+                                       sd,
                                        conn->server_info->ptok,
                                        access_mask,
                                        &access_granted);