smbd: split out smbd_check_access_rights_fname and call it before SMB_VFS_FGET_NT_ACL

commit 8e3798dd22276bc1ac8e96004d0e5e974240a7b9 actually came with a
change in behavior..., as SMB_VFS_GET_NT_ACL_AT() (at the time) and
now SMB_VFS_FGET_NT_ACL() is always called even if it's not needed.
E.g. access by root.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 26 00:31:29 UTC 2022 on sn-devel-184

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 3a8c0bf9c48537fba47560f8ae3c6c42711136d5..ee61137ab9d3ba8e10dd9d728d61e1544ec8f63b 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -95,18 +95,13 @@ static bool parent_override_delete(connection_struct *conn,
  Check if we have open rights.
 ****************************************************************************/
 
-static NTSTATUS smbd_check_access_rights_sd(
+static NTSTATUS smbd_check_access_rights_fname(
                                struct connection_struct *conn,
-                               struct files_struct *dirfsp,
                                const struct smb_filename *smb_fname,
-                               struct security_descriptor *sd,
                                bool use_privs,
                                uint32_t access_mask)
 {
        uint32_t rejected_share_access;
-       uint32_t rejected_mask = access_mask;
-       uint32_t do_not_check_mask = 0;
-       NTSTATUS status;
 
        rejected_share_access = access_mask & ~(conn->share_access);
 
@@ -147,6 +142,21 @@ static NTSTATUS smbd_check_access_rights_sd(
                return NT_STATUS_OK;
        }
 
+       return NT_STATUS_MORE_PROCESSING_REQUIRED;
+}
+
+static NTSTATUS smbd_check_access_rights_sd(
+                               struct connection_struct *conn,
+                               struct files_struct *dirfsp,
+                               const struct smb_filename *smb_fname,
+                               struct security_descriptor *sd,
+                               bool use_privs,
+                               uint32_t access_mask)
+{
+       uint32_t rejected_mask = access_mask;
+       uint32_t do_not_check_mask = 0;
+       NTSTATUS status;
+
        if (sd == NULL) {
                goto access_denied;
        }
@@ -278,6 +288,14 @@ NTSTATUS smbd_check_access_rights_fsp(struct files_struct *dirfsp,
                return NT_STATUS_OK;
        }
 
+       status = smbd_check_access_rights_fname(fsp->conn,
+                                               fsp->fsp_name,
+                                               use_privs,
+                                               access_mask);
+       if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+               return status;
+       }
+
        status = SMB_VFS_FGET_NT_ACL(fsp,
                                     (SECINFO_OWNER |
                                      SECINFO_GROUP |