| blob | abffcd2f4fd6cd7305ac02a3ee7ccf22cbb5abac |
1 /*
2 Unix SMB/CIFS implementation.
3 Check access to files based on security descriptors.
4 Copyright (C) Jeremy Allison 2005-2006.
5 Copyright (C) Michael Adam 2007.
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
23 #undef DBGC_CLASS
24 #define DBGC_CLASS DBGC_ACLS
26 /**
27 * Security descriptor / NT Token level access check function.
28 */
32 {
33 NTSTATUS status;
38 /* I'm sorry sir, I didn't know you were root... */
40 }
44 GROUP_SECURITY_INFORMATION |
45 DACL_SECURITY_INFORMATION),
50 }
56 }
58 /****************************************************************************
59 Actually emulate the in-kernel access checking for delete access. We need
60 this to successfully return ACCESS_DENIED on a file open for delete access.
61 ****************************************************************************/
64 {
65 SMB_STRUCT_STAT sbuf;
71 }
73 /* Get the parent directory permission mask and owners. */
76 }
79 }
81 /* fast paths first */
85 }
87 /* I'm sorry sir, I didn't know you were root... */
89 }
91 #ifdef S_ISVTX
92 /* sticky bit means delete only by owner or root. */
94 SMB_STRUCT_STAT sbuf_file;
97 /* If the file doesn't already exist then
98 * yes we'll be able to delete it. */
100 }
102 }
103 /*
104 * Patch from SATOH Fumiyasu <fumiyas@miraclelinux.com>
105 * for bug #3348. Don't assume owning sticky bit
106 * directory means write access allowed.
107 */
110 }
111 }
112 #endif
114 /* now for ACL checks */
116 /*
117 * There's two ways to get the permission to delete a file: First by
118 * having the DELETE bit on the file itself and second if that does
119 * not help, by the DELETE_CHILD bit on the containing directory.
120 *
121 * Here we only check the directory permissions, we will
122 * check the file DELETE permission separately.
123 */
126 }
128 /****************************************************************************
129 Actually emulate the in-kernel access checking for read/write access. We need
130 this to successfully check for ability to write for dos filetimes.
131 Note this doesn't take into account share write permissions.
132 ****************************************************************************/
134 bool can_access_file_data(connection_struct *conn, const char *fname, SMB_STRUCT_STAT *psbuf, uint32 access_mask)
135 {
138 }
141 /* some fast paths first */
147 /* I'm sorry sir, I didn't know you were root... */
149 }
152 /* Get the file permission mask and owners. */
155 }
156 }
158 /* Check primary owner access. */
173 }
174 }
175 }
177 /* now for ACL checks */
180 }
182 /****************************************************************************
183 Userspace check for write access.
184 Note this doesn't take into account share write permissions.
185 ****************************************************************************/
188 {
190 }
192 /****************************************************************************
193 Check for an existing default Windows ACL on a directory.
194 ****************************************************************************/
197 {
198 /* returns talloced off tos. */
206 }
211 SEC_ACE_FLAG_CONTAINER_INHERIT)) {
214 }
215 }
218 }