git.ipfire.org Git - thirdparty/samba.git/commit

author	Ralph Boehme <slow@samba.org>
	Thu, 21 Dec 2023 09:58:09 +0000 (10:58 +0100)
committer	Jule Anger <janger@samba.org>
	Tue, 16 Jan 2024 09:09:15 +0000 (09:09 +0000)
commit	8c08511f97d0915fdc87c77f4c5a815e1dcfb42a
tree	38f382fb1195f20d26a430868cbf6b35fb2511ae	tree
parent	b775434b7eb1a08fff283e153817f3e0376c9af8	commit \| diff

smbd: fix check_any_access_fsp() for non-fsa fsps

smbd_check_access_rights_fsp() requires *all* rights in access_mask to
be granted by the underlying ACL, but the semantics of this function
is supposed to grant access if any one of the rights in
access_requested is allowed.

Fix this by looping over the requested access mask. If
smbd_check_access_rights_fsp() returns sucess, mask will be non-null
and when assigned to access_granted, the subsequent check will pass,
fail otherwise.

I'm not doing an early exit on purpose because a subsequent commit
adds additional security checks that are done in the subsequent code
path common for fsa and non-fsa fsps.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit bf497819e61131cfa6469971596af3aa9bd4bb49)

source3/smbd/proto.h		diff \| blob \| blame \| history
source3/smbd/smb2_trans2.c		diff \| blob \| blame \| history