Attachment 7366 Details for Bug 8797 – gia-am fix for 3.6.x.

[patch] gia-am fix for 3.6.x.

0001-Fix-bug-8797-Samba-does-not-correctly-handle-DENY-AC.patch (text/plain), 3.23 KB, created by Jeremy Allison on 2012-03-09 23:30:08 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2012-03-09 23:30:08 UTC

Size: 3.23 KB

patch

obsolete

>From e943704e0ed0bb697071ab2a8163f282ac13ebf5 Mon Sep 17 00:00:00 2001
>From: Richard Sharpe <realrichardsharpe@gmail.com>
>Date: Fri, 9 Mar 2012 14:54:38 -0800
>Subject: [PATCH] Fix bug #8797 - Samba does not correctly handle DENY ACEs
> when privileges apply. Signed-off-by: Jeremy Allison
> <jra@samba.org> (cherry picked from commit
> 9aafc490db58017133bbd7a7f49264ee0d48f0ff)
>
>---
> libcli/security/access_check.c |   54 ++++++++++++++++++++-------------------
> 1 files changed, 28 insertions(+), 26 deletions(-)
>
>diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
>index a9b618f..d9f6293 100644
>--- a/libcli/security/access_check.c
>+++ b/libcli/security/access_check.c
>@@ -178,38 +178,12 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
> 			bits_remaining));
> 	}
> 
>-	/* s3 had this with #if 0 previously. To be sure the merge
>-	   doesn't change any behaviour, we have the above #if check
>-	   on _SAMBA_BUILD_. */
>-	if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
>-		if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
>-			bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
>-		} else {
>-			return NT_STATUS_PRIVILEGE_NOT_HELD;
>-		}
>-	}
>-
> 	/* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
> 	if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
> 	    security_token_has_sid(token, sd->owner_sid)) {
> 		bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
> 	}
> 
>-	/* TODO: remove this, as it is file server specific */
>-	if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
>-	    security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
>-		bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
>-	}
>-	if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
>-	    security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
>-		bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
>-	}
>-
>-	if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
>-	     security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
>-		bits_remaining &= ~(SEC_STD_WRITE_OWNER);
>-	}
>-
> 	/* a NULL dacl allows access */
> 	if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
> 		*access_granted = access_desired;
>@@ -247,6 +221,34 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
> 
> 	bits_remaining |= explicitly_denied_bits;
> 
>+	/*
>+	 * We check privileges here because they override even DENY entries.
>+	 */
>+
>+	/* Does the user have the privilege to gain SEC_PRIV_SECURITY? */
>+	if (bits_remaining & SEC_FLAG_SYSTEM_SECURITY) {
>+		if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
>+			bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
>+		} else {
>+			return NT_STATUS_PRIVILEGE_NOT_HELD;
>+		}
>+	}
>+
>+	/* TODO: remove this, as it is file server specific */
>+	if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
>+	    security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
>+		bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
>+	}
>+	if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
>+	    security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
>+		bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
>+	}
>+
>+	if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
>+	     security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
>+		bits_remaining &= ~(SEC_STD_WRITE_OWNER);
>+	}
>+
> done:
> 	if (bits_remaining != 0) {
> 		*access_granted = bits_remaining;
>-- 
>1.7.7.3
>

Flags:

jra: review+

Actions: View

Attachments on bug 8797: 7364 | 7366