Bug 3348 - File in sticky dir can be opened with DELETE_ACCESS by user without write permssion
Summary: File in sticky dir can be opened with DELETE_ACCESS by user without write per...
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.21
Hardware: All All
: P3 minor
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-22 02:04 UTC by SATOH Fumiyasu
Modified: 2006-01-01 09:01 UTC (History)
1 user (show)

See Also:


Attachments
proposed patch (524 bytes, patch)
2005-12-22 02:09 UTC, SATOH Fumiyasu
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description SATOH Fumiyasu 2005-12-22 02:04:17 UTC
In smbd/posix_acls.c, can_delete_file_in_directory() returns
"True" without checking if a user has write permission, if
a directory has the sticky bit set and owned by the user.
If the directory has the sticky bit set, any user can open
all files with DELETE_ACCESS access mask in the directory.

This problem is NOT a security violation because acutual
delete operation is failed by permission denied error,
but confuses users in some cases.
Comment 1 SATOH Fumiyasu 2005-12-22 02:09:54 UTC
Created attachment 1630 [details]
proposed patch
Comment 2 Jeremy Allison 2006-01-01 09:01:22 UTC
Good catch ! Applied, thanks - will be in 3.0.22.
Jeremy.