diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index a9b618f..cb196f0 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -159,6 +159,11 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, uint32_t i; uint32_t bits_remaining; uint32_t explicitly_denied_bits = 0; + /* + * Up until Windows Server 2008, owner always had these rights. Now + * we have to use Owner Rights perms if they are on the file. + */ + uint32_t owner_rights = SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL; *access_granted = access_desired; bits_remaining = access_desired; @@ -189,12 +194,6 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, } } - /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */ - if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) && - security_token_has_sid(token, sd->owner_sid)) { - bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); - } - /* TODO: remove this, as it is file server specific */ if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && security_token_has_privilege(token, SEC_PRIV_RESTORE)) { @@ -228,6 +227,23 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, continue; } + /* + * We need the Owner Rights permissions to ensure we + * give or deny the correct permissions to the owner. Replace + * owner_rights with the perms here if it is present. + * + * We don't care if we are not the owner because that is taken + * care of below when we check if our token has the owner SID. + * + * We only do this if it is an ACCESS_ALLOWED ACE ... + */ + if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) { + if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) + owner_rights = ace->access_mask; + + continue; + } + if (!security_token_has_sid(token, &ace->trustee)) { continue; } @@ -245,6 +261,12 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, } } + /* the owner always gets owner rights as defined above */ + if ((bits_remaining & owner_rights) && + security_token_has_sid(token, sd->owner_sid)) { + bits_remaining &= ~owner_rights; + } + bits_remaining |= explicitly_denied_bits; done: diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h index df57bd1..c4a417b 100644 --- a/libcli/security/dom_sid.h +++ b/libcli/security/dom_sid.h @@ -38,6 +38,7 @@ extern const struct dom_sid global_sid_Authenticated_Users; extern const struct dom_sid global_sid_Network; extern const struct dom_sid global_sid_Creator_Owner; extern const struct dom_sid global_sid_Creator_Group; +extern const struct dom_sid global_sid_Owner_Rights; extern const struct dom_sid global_sid_Anonymous; extern const struct dom_sid global_sid_Builtin; extern const struct dom_sid global_sid_Builtin_Administrators; diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c index f87d3eb..9a24a4a 100644 --- a/libcli/security/util_sid.c +++ b/libcli/security/util_sid.c @@ -62,6 +62,8 @@ const struct dom_sid global_sid_Creator_Owner = /* Creator Owner */ { 1, 1, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; const struct dom_sid global_sid_Creator_Group = /* Creator Group */ { 1, 1, {0,0,0,0,0,3}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const struct dom_sid global_sid_Owner_Rights = /* Owner Rights */ +{ 1, 1, {0,0,0,0,0,3}, {4,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; const struct dom_sid global_sid_Anonymous = /* Anonymous login */ { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; const struct dom_sid global_sid_Enterprise_DCs = /* Enterprise DCs */