Attachment 7360 Details for Bug 8795 – A potential patch to fix this possible problem

[patch] A potential patch to fix this possible problem

owner-rights.patch (text/plain), 3.55 KB, created by Richard Sharpe on 2012-03-06 06:12:21 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Richard Sharpe

Created: 2012-03-06 06:12:21 UTC

Size: 3.55 KB

patch

obsolete

>diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
>index a9b618f..cb196f0 100644
>--- a/libcli/security/access_check.c
>+++ b/libcli/security/access_check.c
>@@ -159,6 +159,11 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
> 	uint32_t i;
> 	uint32_t bits_remaining;
> 	uint32_t explicitly_denied_bits = 0;
>+	/*
>+	 * Up until Windows Server 2008, owner always had these rights. Now
>+	 * we have to use Owner Rights perms if they are on the file.
>+	 */
>+	uint32_t owner_rights = SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
> 
> 	*access_granted = access_desired;
> 	bits_remaining = access_desired;
>@@ -189,12 +194,6 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
> 		}
> 	}
> 
>-	/* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
>-	if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
>-	    security_token_has_sid(token, sd->owner_sid)) {
>-		bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
>-	}
>-
> 	/* TODO: remove this, as it is file server specific */
> 	if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
> 	    security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
>@@ -228,6 +227,23 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
> 			continue;
> 		}
> 
>+		/*
>+		 * We need the Owner Rights permissions to ensure we 
>+		 * give or deny the correct permissions to the owner. Replace
>+		 * owner_rights with the perms here if it is present.
>+		 *
>+		 * We don't care if we are not the owner because that is taken
>+		 * care of below when we check if our token has the owner SID.
>+		 *
>+		 * We only do this if it is an ACCESS_ALLOWED ACE ...
>+		 */
>+		if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) {
>+			if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED)
>+				owner_rights = ace->access_mask;
>+
>+			continue;
>+		}
>+
> 		if (!security_token_has_sid(token, &ace->trustee)) {
> 			continue;
> 		}
>@@ -245,6 +261,12 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
> 		}
> 	}
> 
>+	/* the owner always gets owner rights as defined above */
>+	if ((bits_remaining & owner_rights) &&
>+	    security_token_has_sid(token, sd->owner_sid)) {
>+		bits_remaining &= ~owner_rights;
>+	}
>+
> 	bits_remaining |= explicitly_denied_bits;
> 
> done:
>diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
>index df57bd1..c4a417b 100644
>--- a/libcli/security/dom_sid.h
>+++ b/libcli/security/dom_sid.h
>@@ -38,6 +38,7 @@ extern const struct dom_sid global_sid_Authenticated_Users;
> extern const struct dom_sid global_sid_Network;
> extern const struct dom_sid global_sid_Creator_Owner;
> extern const struct dom_sid global_sid_Creator_Group;
>+extern const struct dom_sid global_sid_Owner_Rights;
> extern const struct dom_sid global_sid_Anonymous;
> extern const struct dom_sid global_sid_Builtin;
> extern const struct dom_sid global_sid_Builtin_Administrators;
>diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
>index f87d3eb..9a24a4a 100644
>--- a/libcli/security/util_sid.c
>+++ b/libcli/security/util_sid.c
>@@ -62,6 +62,8 @@ const struct dom_sid global_sid_Creator_Owner =		/* Creator Owner */
> { 1, 1, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
> const struct dom_sid global_sid_Creator_Group =		/* Creator Group */
> { 1, 1, {0,0,0,0,0,3}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
>+const struct dom_sid global_sid_Owner_Rights =		/* Owner Rights */
>+{ 1, 1, {0,0,0,0,0,3}, {4,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
> const struct dom_sid global_sid_Anonymous =			/* Anonymous login */
> { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
> const struct dom_sid global_sid_Enterprise_DCs =		/* Enterprise DCs */

Actions: View

Attachments on bug 8795: 7360 | 7369