/** * Security descriptor / NT Token level access check function. */ bool can_access_file_acl(struct connection_struct *conn, const char * fname, uint32_t access_mask) { NTSTATUS status; uint32_t access_granted; struct security_descriptor *secdesc = NULL; if (conn->server_info->utok.uid == 0 || conn->admin_user) { /* I'm sorry sir, I didn't know you were root... */ return true; } status = SMB_VFS_GET_NT_ACL(conn, fname, (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION), &secdesc); if (!NT_STATUS_IS_OK(status)) { DEBUG(5, ("Could not get acl: %s\n", nt_errstr(status))); return false; } status = se_access_check(secdesc, conn->server_info->ptok, access_mask, &access_granted); TALLOC_FREE(secdesc); return NT_STATUS_IS_OK(status); }
bool directory_has_default_acl(connection_struct *conn, const char *fname) { /* returns talloced off tos. */ struct security_descriptor *secdesc = NULL; unsigned int i; NTSTATUS status = SMB_VFS_GET_NT_ACL(conn, fname, SECINFO_DACL, &secdesc); if (!NT_STATUS_IS_OK(status) || secdesc == NULL) { return false; } for (i = 0; i < secdesc->dacl->num_aces; i++) { struct security_ace *psa = &secdesc->dacl->aces[i]; if (psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT| SEC_ACE_FLAG_CONTAINER_INHERIT)) { TALLOC_FREE(secdesc); return true; } } TALLOC_FREE(secdesc); return false; }