From 0874d3ab3e1cb7e42900da9543963799b864e485 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Wed, 20 Dec 2023 15:09:59 +0100
Subject: [PATCH] smbd: check for previous versions in check_any_access_fsp()

Now that check_any_access_fsp() is broadly used consistently to
restrict access for all modifying operations, we can add a check for
previous versions to check_any_access_fsp() and it gets enforced
consistently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fd4e41144a819b4403340e4a28664ac586722b41)
---
 .../samba3.blackbox.shadow_copy_torture            |  1 -
 source3/smbd/smb2_trans2.c                         | 22 ++++++++++++++++++++--
 2 files changed, 20 insertions(+), 3 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba3.blackbox.shadow_copy_torture

diff --git a/selftest/knownfail.d/samba3.blackbox.shadow_copy_torture b/selftest/knownfail.d/samba3.blackbox.shadow_copy_torture
deleted file mode 100644
index 16537e58aeb..00000000000
--- a/selftest/knownfail.d/samba3.blackbox.shadow_copy_torture
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.blackbox.shadow_copy_torture.writing to shadow copy of a file\(fileserver\)
diff --git a/source3/smbd/smb2_trans2.c b/source3/smbd/smb2_trans2.c
index d39f5880efa..7fb7f45505c 100644
--- a/source3/smbd/smb2_trans2.c
+++ b/source3/smbd/smb2_trans2.c
@@ -80,6 +80,8 @@ NTSTATUS refuse_symlink_fsp(const files_struct *fsp)
 NTSTATUS check_any_access_fsp(struct files_struct *fsp,
 			      uint32_t access_requested)
 {
+	const uint32_t ro_access = SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+	uint32_t ro_access_granted = 0;
 	uint32_t access_granted = 0;
 	NTSTATUS status;
 
@@ -100,15 +102,31 @@ NTSTATUS check_any_access_fsp(struct files_struct *fsp,
 							false,
 							mask);
 			if (NT_STATUS_IS_OK(status)) {
-				break;
+				access_granted |= mask;
+				if (fsp->fsp_name->twrp == 0) {
+					/*
+					 * We can only optimize
+					 * the non-snapshot case
+					 */
+					break;
+				}
 			}
 			mask <<= 1;
 		}
-		access_granted = mask;
 	}
 	if ((access_granted & access_requested) == 0) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
+
+	if (fsp->fsp_name->twrp == 0) {
+		return NT_STATUS_OK;
+	}
+
+	ro_access_granted = access_granted & ro_access;
+	if ((ro_access_granted & access_requested) == 0) {
+		return NT_STATUS_MEDIA_WRITE_PROTECTED;
+	}
+
 	return NT_STATUS_OK;
 }
 
-- 
2.11.4.GIT