From a706a544775fca18a40eb063656a8deb57867ec3 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 20 May 2021 12:26:47 -0700
Subject: [PATCH] s3: smbd: Re-use refuse_symlink_fsp() in set/get security
 descriptors.

Now we have one common function for refusing access on symlinks.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 source3/smbd/nttrans.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 75162b5f61c..a241dcb6243 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -999,10 +999,11 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
 		return NT_STATUS_OK;
 	}
 
-	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
-		DEBUG(10, ("ACL set on symlink %s denied.\n",
-			fsp_str_dbg(fsp)));
-		return NT_STATUS_ACCESS_DENIED;
+	status = refuse_symlink_fsp(fsp);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_DEBUG("ACL set on symlink %s denied.\n",
+			fsp_str_dbg(fsp));
+		return status;
 	}
 
 	if (psd->owner_sid == NULL) {
@@ -2159,11 +2160,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
-		DEBUG(10, ("ACL get on symlink %s denied.\n",
-			fsp_str_dbg(fsp)));
+	status = refuse_symlink_fsp(fsp);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_DEBUG("ACL get on symlink %s denied.\n",
+			fsp_str_dbg(fsp));
 		TALLOC_FREE(frame);
-		return NT_STATUS_ACCESS_DENIED;
+		return status;
 	}
 
 	if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
-- 
2.47.3