s3: smbd: Add missing permissions check on destination folder.

Based on code from Michael Zeis <mzeis.quantum@gmail.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 91b591224ab7f8ea7b4594da9f61efef14353f7f)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 9504d1b3039e0df4f94282688fea8861b61395bd..3ba61a3b2bc1ce784d55dd4409e07622b86e8b97 100644 (file)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -6589,6 +6589,7 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
        struct smb_filename *smb_fname_dst = NULL;
        NTSTATUS status = NT_STATUS_OK;
        struct share_mode_lock *lck = NULL;
+       uint32_t access_mask = SEC_DIR_ADD_FILE;
        bool dst_exists, old_is_stream, new_is_stream;
 
        status = check_name(conn, smb_fname_dst_in->base_name);
@@ -6772,6 +6773,22 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
                goto out;
        }
 
+       /* Do we have rights to move into the destination ? */
+       if (S_ISDIR(fsp->fsp_name->st.st_ex_mode)) {
+               /* We're moving a directory. */
+               access_mask = SEC_DIR_ADD_SUBDIR;
+       }
+       status = check_parent_access(conn,
+                               smb_fname_dst,
+                               access_mask);
+       if (!NT_STATUS_IS_OK(status)) {
+               DBG_INFO("check_parent_access on "
+                       "dst %s returned %s\n",
+                       smb_fname_str_dbg(smb_fname_dst),
+                       nt_errstr(status));
+               goto out;
+       }
+
        lck = get_existing_share_mode_lock(talloc_tos(), fsp->file_id);
 
        /*