The Samba-Bugzilla – Attachment 7366 Details for
Bug 8797
Samba does not correctly handle DENY ACEs when privileges apply
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
gia-am fix for 3.6.x.
0001-Fix-bug-8797-Samba-does-not-correctly-handle-DENY-AC.patch (text/plain), 3.23 KB, created by
Jeremy Allison
on 2012-03-09 23:30:08 UTC
(
hide
)
Description:
gia-am fix for 3.6.x.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-03-09 23:30:08 UTC
Size:
3.23 KB
patch
obsolete
>From e943704e0ed0bb697071ab2a8163f282ac13ebf5 Mon Sep 17 00:00:00 2001 >From: Richard Sharpe <realrichardsharpe@gmail.com> >Date: Fri, 9 Mar 2012 14:54:38 -0800 >Subject: [PATCH] Fix bug #8797 - Samba does not correctly handle DENY ACEs > when privileges apply. Signed-off-by: Jeremy Allison > <jra@samba.org> (cherry picked from commit > 9aafc490db58017133bbd7a7f49264ee0d48f0ff) > >--- > libcli/security/access_check.c | 54 ++++++++++++++++++++------------------- > 1 files changed, 28 insertions(+), 26 deletions(-) > >diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c >index a9b618f..d9f6293 100644 >--- a/libcli/security/access_check.c >+++ b/libcli/security/access_check.c >@@ -178,38 +178,12 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, > bits_remaining)); > } > >- /* s3 had this with #if 0 previously. To be sure the merge >- doesn't change any behaviour, we have the above #if check >- on _SAMBA_BUILD_. */ >- if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { >- if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { >- bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; >- } else { >- return NT_STATUS_PRIVILEGE_NOT_HELD; >- } >- } >- > /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */ > if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) && > security_token_has_sid(token, sd->owner_sid)) { > bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); > } > >- /* TODO: remove this, as it is file server specific */ >- if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && >- security_token_has_privilege(token, SEC_PRIV_RESTORE)) { >- bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); >- } >- if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && >- security_token_has_privilege(token, SEC_PRIV_BACKUP)) { >- bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); >- } >- >- if ((bits_remaining & SEC_STD_WRITE_OWNER) && >- security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { >- bits_remaining &= ~(SEC_STD_WRITE_OWNER); >- } >- > /* a NULL dacl allows access */ > if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { > *access_granted = access_desired; >@@ -247,6 +221,34 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, > > bits_remaining |= explicitly_denied_bits; > >+ /* >+ * We check privileges here because they override even DENY entries. >+ */ >+ >+ /* Does the user have the privilege to gain SEC_PRIV_SECURITY? */ >+ if (bits_remaining & SEC_FLAG_SYSTEM_SECURITY) { >+ if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { >+ bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; >+ } else { >+ return NT_STATUS_PRIVILEGE_NOT_HELD; >+ } >+ } >+ >+ /* TODO: remove this, as it is file server specific */ >+ if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && >+ security_token_has_privilege(token, SEC_PRIV_RESTORE)) { >+ bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); >+ } >+ if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && >+ security_token_has_privilege(token, SEC_PRIV_BACKUP)) { >+ bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); >+ } >+ >+ if ((bits_remaining & SEC_STD_WRITE_OWNER) && >+ security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { >+ bits_remaining &= ~(SEC_STD_WRITE_OWNER); >+ } >+ > done: > if (bits_remaining != 0) { > *access_granted = bits_remaining; >-- >1.7.7.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 8797
:
7364
| 7366