From 0f865a34f1a080e35ce6a4c19fec80a84c7b8dc9 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 21 Dec 2023 10:58:09 +0100 Subject: [PATCH] smbd: rename check_access_fsp() to check_any_access_fsp() The semantics of the access check in check_access_fsp() itself is to allow access if *at least* one or more rights of the rights in access_mask are allowed. The name check_any_access_fsp() better reflects this. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 96b577c380fa914eb1ffa95849c82bdb88aa1ec6) --- source3/smbd/proto.h | 4 ++-- source3/smbd/smb2_ioctl_filesys.c | 6 +++--- source3/smbd/smb2_trans2.c | 15 ++++++++++----- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index 78e1b48be09..277b9660e9b 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -1108,8 +1108,8 @@ NTSTATUS smb_set_file_disposition_info(connection_struct *conn, files_struct *fsp, struct smb_filename *smb_fname); NTSTATUS refuse_symlink_fsp(const struct files_struct *fsp); -NTSTATUS check_access_fsp(struct files_struct *fsp, - uint32_t access_mask); +NTSTATUS check_any_access_fsp(struct files_struct *fsp, + uint32_t access_mask); uint64_t smb_roundup(connection_struct *conn, uint64_t val); bool samba_private_attr_name(const char *unix_ea_name); NTSTATUS get_ea_value_fsp(TALLOC_CTX *mem_ctx, diff --git a/source3/smbd/smb2_ioctl_filesys.c b/source3/smbd/smb2_ioctl_filesys.c index 36429b8fd35..6cc53d4828e 100644 --- a/source3/smbd/smb2_ioctl_filesys.c +++ b/source3/smbd/smb2_ioctl_filesys.c @@ -378,7 +378,7 @@ static NTSTATUS fsctl_set_cmprn(TALLOC_CTX *mem_ctx, } /* WRITE_DATA permission is required, WRITE_ATTRIBUTES is not */ - status = check_access_fsp(fsp, FILE_WRITE_DATA); + status = check_any_access_fsp(fsp, FILE_WRITE_DATA); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -426,7 +426,7 @@ static NTSTATUS fsctl_zero_data(TALLOC_CTX *mem_ctx, } /* WRITE_DATA permission is required */ - status = check_access_fsp(fsp, FILE_WRITE_DATA); + status = check_any_access_fsp(fsp, FILE_WRITE_DATA); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -616,7 +616,7 @@ static NTSTATUS fsctl_qar(TALLOC_CTX *mem_ctx, } /* READ_DATA permission is required */ - status = check_access_fsp(fsp, FILE_READ_DATA); + status = check_any_access_fsp(fsp, FILE_READ_DATA); if (!NT_STATUS_IS_OK(status)) { return status; } diff --git a/source3/smbd/smb2_trans2.c b/source3/smbd/smb2_trans2.c index 3eb4a2de879..3a08eab9d91 100644 --- a/source3/smbd/smb2_trans2.c +++ b/source3/smbd/smb2_trans2.c @@ -72,8 +72,13 @@ NTSTATUS refuse_symlink_fsp(const files_struct *fsp) return NT_STATUS_OK; } -NTSTATUS check_access_fsp(struct files_struct *fsp, - uint32_t access_mask) +/** + * Check that one or more of the rights in access_mask are + * allowed. Iow, access_mask can contain more then one right and + * it is sufficient having only one of those granted to pass. + **/ +NTSTATUS check_any_access_fsp(struct files_struct *fsp, + uint32_t access_mask) { if (!fsp->fsp_flags.is_fsa) { return smbd_check_access_rights_fsp(fsp->conn->cwd_fsp, @@ -677,7 +682,7 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp, return status; } - status = check_access_fsp(fsp, FILE_WRITE_EA); + status = check_any_access_fsp(fsp, FILE_WRITE_EA); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4803,7 +4808,7 @@ static NTSTATUS smb_set_file_basic_info(connection_struct *conn, return NT_STATUS_INVALID_HANDLE; } - status = check_access_fsp(fsp, FILE_WRITE_ATTRIBUTES); + status = check_any_access_fsp(fsp, FILE_WRITE_ATTRIBUTES); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4874,7 +4879,7 @@ static NTSTATUS smb_set_info_standard(connection_struct *conn, DEBUG(10,("smb_set_info_standard: file %s\n", smb_fname_str_dbg(smb_fname))); - status = check_access_fsp(fsp, FILE_WRITE_ATTRIBUTES); + status = check_any_access_fsp(fsp, FILE_WRITE_ATTRIBUTES); if (!NT_STATUS_IS_OK(status)) { return status; } -- 2.11.4.GIT