From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 13 Jul 2022 11:15:39 +0000 (+0000)
Subject: smbd: split out smbd_check_access_rights_fname and call it before SMB_VFS_FGET_NT_ACL
X-Git-Tag: ldb-2.6.1~55
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d4cb5a641e1fea2d369bdc66470a580321366c2;p=thirdparty%2Fsamba.git

smbd: split out smbd_check_access_rights_fname and call it before SMB_VFS_FGET_NT_ACL

commit 8e3798dd22276bc1ac8e96004d0e5e974240a7b9 actually came with a
change in behavior..., as SMB_VFS_GET_NT_ACL_AT() (at the time) and
now SMB_VFS_FGET_NT_ACL() is always called even if it's not needed.
E.g. access by root.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 26 00:31:29 UTC 2022 on sn-devel-184
---

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 3a8c0bf9c48..ee61137ab9d 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -95,18 +95,13 @@ static bool parent_override_delete(connection_struct *conn,
  Check if we have open rights.
 ****************************************************************************/
 
-static NTSTATUS smbd_check_access_rights_sd(
+static NTSTATUS smbd_check_access_rights_fname(
 				struct connection_struct *conn,
-				struct files_struct *dirfsp,
 				const struct smb_filename *smb_fname,
-				struct security_descriptor *sd,
 				bool use_privs,
 				uint32_t access_mask)
 {
 	uint32_t rejected_share_access;
-	uint32_t rejected_mask = access_mask;
-	uint32_t do_not_check_mask = 0;
-	NTSTATUS status;
 
 	rejected_share_access = access_mask & ~(conn->share_access);
 
@@ -147,6 +142,21 @@ static NTSTATUS smbd_check_access_rights_sd(
 		return NT_STATUS_OK;
 	}
 
+	return NT_STATUS_MORE_PROCESSING_REQUIRED;
+}
+
+static NTSTATUS smbd_check_access_rights_sd(
+				struct connection_struct *conn,
+				struct files_struct *dirfsp,
+				const struct smb_filename *smb_fname,
+				struct security_descriptor *sd,
+				bool use_privs,
+				uint32_t access_mask)
+{
+	uint32_t rejected_mask = access_mask;
+	uint32_t do_not_check_mask = 0;
+	NTSTATUS status;
+
 	if (sd == NULL) {
 		goto access_denied;
 	}
@@ -278,6 +288,14 @@ NTSTATUS smbd_check_access_rights_fsp(struct files_struct *dirfsp,
 		return NT_STATUS_OK;
 	}
 
+	status = smbd_check_access_rights_fname(fsp->conn,
+						fsp->fsp_name,
+						use_privs,
+						access_mask);
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		return status;
+	}
+
 	status = SMB_VFS_FGET_NT_ACL(fsp,
 				     (SECINFO_OWNER |
 				      SECINFO_GROUP |