]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
smbd/posix_acls: reuse secutiry token from session info if exist
authorJoe Guo <joeg@catalyst.net.nz>
Tue, 3 Jul 2018 23:09:50 +0000 (11:09 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 12 Jul 2018 02:31:59 +0000 (04:31 +0200)
If session info was passed down from upstream, then try to use it to get
security token, other then creating token every time.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
source3/smbd/posix_acls.c

index 70834d5fc7d7c2afd9a5971092cc2f6a325210ed..8cc9cf1f2fc35c121f29adf89a87378cdf11a669 100644 (file)
@@ -1251,11 +1251,37 @@ static void ensure_minimal_owner_ace_perms(const bool is_directory,
 
 static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
 {
+       bool is_sid = false;
+       bool has_sid = false;
+       struct security_token *security_token = NULL;
+
        /* "Everyone" always matches every uid. */
 
        if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
                return True;
 
+       /*
+        * if we have session info in conn, we already have the (SID
+        * based) NT token and don't need to do the complex
+        * user_in_group_sid() call
+        */
+       if (conn->session_info) {
+               security_token = conn->session_info->security_token;
+               /* security_token should not be NULL */
+               SMB_ASSERT(security_token);
+               is_sid = security_token_is_sid(security_token,
+                                              &uid_ace->trustee);
+               if (is_sid) {
+                       has_sid = security_token_has_sid(security_token,
+                                                        &group_ace->trustee);
+
+                       if (has_sid) {
+                               return true;
+                       }
+               }
+
+       }
+
        /*
         * if it's the current user, we already have the unix token
         * and don't need to do the complex user_in_group_sid() call