Bug 2726 - allowing smbcacls to modify the acl when it's not allowed to modify the owner
allowing smbcacls to modify the acl when it's not allowed to modify the owner
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools
3.0.14a
All Windows 2000
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-18 18:07 UTC by Martin Dorey
Modified: 2011-04-27 00:29 UTC (History)
1 user (show)

See Also:


Attachments
my proposed fix (739 bytes, patch)
2005-05-18 18:07 UTC, Martin Dorey
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Dorey 2005-05-18 18:07:04 UTC
I previously submitted a patch to smbcacls here:

http://lists.samba.org/archive/samba-technical/2003-June/029814.html 

My motivation (coped from that post) was:

  Though I have WriteOwner right to the directory in question, the Win2K
  server in question won't let me "change" the owner - even if I'm trying to
  set it to the same SID that it already is - as the particular SID in
  question isn't in my access token.  From previous experiments, I think this
  is normal behaviour on the part of MS servers.

...

  main() calls cacl_set() which calls cli_set_secdesc() which will try to set
  the owner and group if the security descriptor it's passed has those fields.
  Perhaps the right fix is then to not initialise the owner and group fields
  in the security descriptor that's passed in

Jeremy kindly applied my patch here:

http://cvs.samba.org/cgi-bin/cvsweb/samba/source/utils/smbcacls.c.diff?r1=1.66.2.15&r2=1.66.2.16&f=h


This was merged into the CVS MAIN branch here:

http://cvs.samba.org/cgi-bin/cvsweb/samba/source/utils/smbcacls.c.diff?r1=1.89&r2=1.90


It is still in the CVS HEAD here:

http://cvs.samba.org/cgi-bin/cvsweb/samba/source/utils/smbcacls.c?annotate=1.93 

It's also in the latest revision on the SAMBA_3_0_RELEASE CVS branch here:

http://cvs.samba.org/cgi-bin/cvsweb/samba/source/utils/smbcacls.c?annotate=1.89.2.4 

Most of the patch is in the most recent SVN revision here:

http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/utils/smbcacls.c?rev=4090&view=markup

Part of it was effectively backed out and an additional change was made in order
to fix another problem (https://bugzilla.samba.org/show_bug.cgi?id=404 and
https://bugzilla.samba.org/show_bug.cgi?id=2076) here:

http://websvn.samba.org/cgi-bin/viewcvs.cgi?rev=3918&view=rev 

This has caused my problem to recur.

I think I've understood the reason for the additional change and I've come up
with a patch which fixes my problem and, I think, should preserve the fix for
the #404 and #2076.  Looking at bugzilla, I think this may be the cause of
https://bugzilla.samba.org/show_bug.cgi?id=2111 but it's difficult to be sure,
so I thought it might be better to raise a separate bug.  Sadly, the svn
protocol won't go through our corporate firewall at present (I have a ticket to
get that addressed), so I used rsync to get the "unpacked" source from the head
of the tree.  I made my changes under the "samba" directory.  I hope that was
the right choice.

I'll attach the patch when bugzilla gives me the option which I think will be
when I've hit Commit.

Here's my test file before trying any changes:

martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U
'TERASTACK\devtest' //mdorey.terastack.bluearc.com/root /test/smbcacls.txt
params.c:OpenConfFile() - Unable to open configuration file
"/usr/local/samba/lib/smb.conf":
	No such file or directory
creating lame upcase table
creating lame lowcase table
Password: 
REVISION:1
OWNER:BUILTIN\Administrators
GROUP:TERASTACK\Domain Users
ACL:\Everyone:ALLOWED/0/FULL
martind@duezer:~/download/samba.org/samba/source$

Here's where I test the code prior to my patch to see whether a user who should
be able to overwrite the ACL but not the owner can add an ACE, modify the ACL or
delete an ACE:

martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U
'TERASTACK\devtest' -a 'ACL:\Everyone:ALLOWED/0/FULL'
//mdorey.terastack.bluearc.com/root /test/smbcacls.txt
params.c:OpenConfFile() - Unable to open configuration file
"/usr/local/samba/lib/smb.conf":
	No such file or directory
creating lame upcase table
creating lame lowcase table
Password: 
NT_TRANSACT_SET_SECURITY_DESC failed
ERROR: secdesc set failed: NT_STATUS_ACCESS_DENIED
martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U
'TERASTACK\devtest' -M 'ACL:\Everyone:ALLOWED/0/FULL'
//mdorey.terastack.bluearc.com/root /test/smbcacls.txt
params.c:OpenConfFile() - Unable to open configuration file
"/usr/local/samba/lib/smb.conf":
	No such file or directory
creating lame upcase table
creating lame lowcase table
Password: 
NT_TRANSACT_SET_SECURITY_DESC failed
ERROR: secdesc set failed: NT_STATUS_ACCESS_DENIED
martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U
'TERASTACK\devtest' -D 'ACL:\Everyone:ALLOWED/0/FULL'
//mdorey.terastack.bluearc.com/root /test/smbcacls.txt
params.c:OpenConfFile() - Unable to open configuration file
"/usr/local/samba/lib/smb.conf":
	No such file or directory
creating lame upcase table
creating lame lowcase table
Password: 
NT_TRANSACT_SET_SECURITY_DESC failed
ERROR: secdesc set failed: NT_STATUS_ACCESS_DENIED
martind@duezer:~/download/samba.org/samba/source$

Then I made the changes and repeated the tests:

martind@duezer:~/download/samba.org/samba/source$ make bin/smbcacls
Compiling utils/smbcacls.c
Linking bin/smbcacls
martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U
'TERASTACK\devtest' -M 'ACL:\Everyone:ALLOWED/0/FULL'
//mdorey.terastack.bluearc.com/root /test/smbcacls.txt
params.c:OpenConfFile() - Unable to open configuration file
"/usr/local/samba/lib/smb.conf":
	No such file or directory
creating lame upcase table
creating lame lowcase table
Password: 
martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U
'TERASTACK\devtest' -a 'ACL:\Everyone:ALLOWED/0/FULL'
//mdorey.terastack.bluearc.com/root /test/smbcacls.txt
params.c:OpenConfFile() - Unable to open configuration file
"/usr/local/samba/lib/smb.conf":
	No such file or directory
creating lame upcase table
creating lame lowcase table
Password: 
martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U
'TERASTACK\devtest' -D 'ACL:\Everyone:ALLOWED/0/FULL'
//mdorey.terastack.bluearc.com/root /test/smbcacls.txt
params.c:OpenConfFile() - Unable to open configuration file
"/usr/local/samba/lib/smb.conf":
	No such file or directory
creating lame upcase table
creating lame lowcase table
Password: 
martind@duezer:~/download/samba.org/samba/source$
Comment 1 Martin Dorey 2005-05-18 18:07:42 UTC
Created attachment 1234 [details]
my proposed fix
Comment 2 Martin Dorey 2005-05-18 18:23:50 UTC
> Here's my test file before trying any changes:

I should say that the server I was using was Windows 2000 5.00.2195 service pack
4.  I was interested to see that I now get NT_STATUS_ACCESS_DENIED instead of
the NT_STATUS_INVALID_OWNER I got when I posted my original patch.  That was
probably an NT4 server.
Comment 3 Rahul 2011-04-26 05:04:45 UTC
I am facing   issue with smbcacls command for user Administrateur  [French domain user name]. 
====================================================
#smbcacls //10.10.180.214/Rahultest /abc.txt -U es1fr\\Administrateur%Password

Connecting to host=10.10.180.214
Connecting to 10.10.180.214 at port 445
Doing spnego session setup (blob length=103)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=frdc$@ES1FR.COM
Got challenge flags:
Got NTLMSSP neg_flags=0x62890215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
Failed to open \hi\abc.txt: NT_STATUS_ACCESS_DENIED
====================================================

But if I execute same command with es1admin username, there is no issue.
# smbcacls //10.10.180.214/Rahulktest /abc.txt  -U es1fr\\es1admin%Password
REVISION:1
OWNER:ES1FR+es1admin
GROUP:ES1FR+Utilisa. du domaine
ACL:+Tout le monde:DENIED/0/0x000d0116
ACL:ES1FR+èçàéîôüû:ALLOWED/0/FULL


I am not getting why Administrateur user can not see permission as it is a superuser.

Actually I am trying to change owner to Administrateur and it is not working. 

Does this patch resolves this issue? Has this fix gone into main samba release?
Comment 4 Rahul 2011-04-26 05:10:49 UTC
I am using samba 3.0.23c.
Comment 5 Jeremy Allison 2011-04-27 00:29:05 UTC
Samba 3.0.x has been out of maintenance for many years now. Please try and reproduce with the latest Samba.

Jeremy.