From: Jeremy Allison <jra@samba.org>
Date: Fri, 4 Jun 2021 00:05:51 +0000 (-0700)
Subject: s3: smbd: Subtle change to semantics needed for smbd_check_access_rights_fsp().
X-Git-Tag: tevent-0.11.0~637
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ae5cb84fae60663cdd8a507a015ac3f9b8296647;p=thirdparty%2Fsamba.git

s3: smbd: Subtle change to semantics needed for smbd_check_access_rights_fsp().

smbd_check_access_rights() is checking permissions on a file *before*
open, so getting ACCESS_DENIED and mapping to NT_STATUS_OK when
reading the security descriptor is fine, as if we really don't have
access the open will fail.

smbd_check_access_rights_fsp() takes place *after* the open (pathref
or otherwise), so being unable to get the security decriptor should
be reported back to the caller and not mapped to NT_STATUS_OK.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 5094f41c690..b1d90412bf1 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -293,9 +293,6 @@ NTSTATUS smbd_check_access_rights_fsp(struct files_struct *fsp,
 				      SECINFO_DACL),
 				     talloc_tos(),
 				     &sd);
-	if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
-		status = NT_STATUS_OK;
-	}
 	if (!NT_STATUS_IS_OK(status)) {
 		DBG_DEBUG("Could not get acl on %s: %s\n",
 			  fsp_str_dbg(fsp),