The Samba-Bugzilla – Attachment 7369 Details for
Bug 8795
Samba does not handle the Owner Rights permissions at all
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
More correct Owner Rights patch
owner-rights.patch (text/plain), 4.35 KB, created by
Richard Sharpe
on 2012-03-10 17:13:14 UTC
(
hide
)
Description:
More correct Owner Rights patch
Filename:
MIME Type:
Creator:
Richard Sharpe
Created:
2012-03-10 17:13:14 UTC
Size:
4.35 KB
patch
obsolete
>commit 3acf60c6acf758ce9492fa8db686d7fccf493f0b >Author: Richard Sharpe <realrichardsharpe@gmail.com> >Date: Sun Mar 4 10:45:15 2012 -0800 > > Handle the Owner Rights SID when doing access checks as per the discussion in > bug #8795. > >diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c >index d9f6293..3d18af2 100644 >--- a/libcli/security/access_check.c >+++ b/libcli/security/access_check.c >@@ -159,6 +159,16 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, > uint32_t i; > uint32_t bits_remaining; > uint32_t explicitly_denied_bits = 0; >+ /* >+ * Up until Windows Server 2008, owner always had these rights. Now >+ * we have to use Owner Rights perms if they are on the file. >+ * >+ * In addition we have to accumulate these bits and apply them >+ * correctly. See bug #8795 >+ */ >+ uint32_t owner_rights_allowed = 0x0; >+ uint32_t owner_rights_denied = 0x0; >+ bool owner_rights_default = True; > > *access_granted = access_desired; > bits_remaining = access_desired; >@@ -178,12 +188,6 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, > bits_remaining)); > } > >- /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */ >- if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) && >- security_token_has_sid(token, sd->owner_sid)) { >- bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); >- } >- > /* a NULL dacl allows access */ > if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { > *access_granted = access_desired; >@@ -202,6 +206,28 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, > continue; > } > >+ /* >+ * We need the Owner Rights permissions to ensure we >+ * give or deny the correct permissions to the owner. Replace >+ * owner_rights with the perms here if it is present. >+ * >+ * We don't care if we are not the owner because that is taken >+ * care of below when we check if our token has the owner SID. >+ * >+ * We only do this if it is an ACCESS_ALLOWED ACE ... >+ */ >+ if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) { >+ if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) { >+ owner_rights_allowed |= ace->access_mask; >+ owner_rights_default = False; >+ } >+ else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { >+ owner_rights_denied |= ace->access_mask; >+ owner_rights_default = False; >+ } >+ continue; >+ } >+ > if (!security_token_has_sid(token, &ace->trustee)) { > continue; > } >@@ -219,6 +245,23 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, > } > } > >+ /* the owner always gets owner rights as defined above */ >+ if (security_token_has_sid(token, sd->owner_sid)) { >+ if (owner_rights_default) >+ /* >+ * Just remove them, no need to check if they are >+ * there. >+ */ >+ bits_remaining &= ~(SEC_STD_WRITE_DAC | >+ SEC_STD_READ_CONTROL); >+ >+ else { >+ bits_remaining &= ~owner_rights_allowed; >+ bits_remaining |= owner_rights_denied; >+ } >+ } >+ >+ /* Explicitly denied bits always override */ > bits_remaining |= explicitly_denied_bits; > > /* >diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h >index df57bd1..c4a417b 100644 >--- a/libcli/security/dom_sid.h >+++ b/libcli/security/dom_sid.h >@@ -38,6 +38,7 @@ extern const struct dom_sid global_sid_Authenticated_Users; > extern const struct dom_sid global_sid_Network; > extern const struct dom_sid global_sid_Creator_Owner; > extern const struct dom_sid global_sid_Creator_Group; >+extern const struct dom_sid global_sid_Owner_Rights; > extern const struct dom_sid global_sid_Anonymous; > extern const struct dom_sid global_sid_Builtin; > extern const struct dom_sid global_sid_Builtin_Administrators; >diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c >index f87d3eb..9a24a4a 100644 >--- a/libcli/security/util_sid.c >+++ b/libcli/security/util_sid.c >@@ -62,6 +62,8 @@ const struct dom_sid global_sid_Creator_Owner = /* Creator Owner */ > { 1, 1, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; > const struct dom_sid global_sid_Creator_Group = /* Creator Group */ > { 1, 1, {0,0,0,0,0,3}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; >+const struct dom_sid global_sid_Owner_Rights = /* Owner Rights */ >+{ 1, 1, {0,0,0,0,0,3}, {4,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; > const struct dom_sid global_sid_Anonymous = /* Anonymous login */ > { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; > const struct dom_sid global_sid_Enterprise_DCs = /* Enterprise DCs */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7369">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 8795
:
7360
| 7369