The Samba-Bugzilla – Attachment 12764 Details for
Bug 12466
se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.4.next
bug-12466-4.4 (text/plain), 2.15 KB, created by
Jeremy Allison
on 2016-12-12 19:48:03 UTC
(
hide
)
Description:
git-am fix for 4.4.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2016-12-12 19:48:03 UTC
Size:
2.15 KB
patch
obsolete
>From 7608df8da915a4928c97bb6a2e23346c14ad8393 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 8 Dec 2016 10:40:18 -0800 >Subject: [PATCH] lib: security: se_access_check() incorrectly processes owner > rights (S-1-3-4) DENY ace entries > >Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>. > >When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the >code OR's in the deny access mask bits without taking into account if >they were being requested in the requested access mask. > >E.g. The current logic has: > >An ACL containining: > >[0] SID: S-1-3-4 > TYPE: DENY > MASK: WRITE_DATA >[1] SID: S-1-3-4 > TYPE: ALLOW > MASK: ALLOW_ALL > >prohibits an open request by the owner for READ_DATA - even though this >is explicitly allowed. > >Furthermore a non-canonical ACL containing: > >[0] SID: User SID 1-5-21-something > TYPE: ALLOW > MASK: READ_DATA > >[1] SID: S-1-3-4 > TYPE: DENY > MASK: READ_DATA > >[2] SID: User SID 1-5-21-something > TYPE: ALLOW > MASK: WRITE_DATA > >prohibits an open request by the owner for READ_DATA|WRITE_DATA - even >though READ_DATA is explicitly allowed in ACE no 0 and is thus already >filtered out of the "access-still-needed" mask when the deny ACE no 1 is >evaluated. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 29b02cf22f3c0f2d556408e9e768d68c1efc3b96) >--- > libcli/security/access_check.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c >index 2be5928..b4c850b 100644 >--- a/libcli/security/access_check.c >+++ b/libcli/security/access_check.c >@@ -220,7 +220,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, > owner_rights_allowed |= ace->access_mask; > owner_rights_default = false; > } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { >- owner_rights_denied |= ace->access_mask; >+ owner_rights_denied |= (bits_remaining & ace->access_mask); > owner_rights_default = false; > } > continue; >-- >2.8.0.rc3.226.g39d4020 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12764">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 12466
:
12752
|
12755
|
12758
|
12763
| 12764