Bug 6583 - Samba server ignores FILE_OPEN_FOR_BACKUP_INTENT
Samba server ignores FILE_OPEN_FOR_BACKUP_INTENT
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: File services
All Linux
: P2 enhancement
: ---
Assigned To: Jeremy Allison
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2009-07-29 00:00 UTC by Steve French
Modified: 2012-10-25 08:29 UTC (History)
4 users (show)

See Also:

wireshark trace showing backup intent flag (7.25 KB, application/octet-stream)
2009-07-29 13:47 UTC, Steve French
no flags Details
patch to force Linux cifs client to send FILE_OPEN_FOR_BACKUP_INTENT on SMB NTCreateX (628 bytes, text/x-diff)
2009-07-29 13:49 UTC, Steve French
no flags Details
Adds into smb.h the definitions for all missing create options (1.36 KB, text/x-diff)
2009-07-29 15:05 UTC, Steve French
no flags Details
Create a file on a remote share with an empty ACL, then try to open it with FILE_FLAG_BACKUP_SEMANTICS. (38.00 KB, application/octet-stream)
2010-02-26 13:47 UTC, Michael Reissner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Steve French 2009-07-29 00:00:00 UTC
CreateOption: CREATE_OPEN_BACKUP_INTENT (0x00004000) is ignored by Samba server on open (NTCreateX SMB), but Windows uses it to allow a privileged user to open a file for which it does not have permission (without this flag the admin user should get access denied trying to open the file).
Comment 1 Jeremy Allison 2009-07-29 13:01:08 UTC
Do you have a test case for this, or a use case to show how it is supposed to work ?
Comment 2 Steve French 2009-07-29 13:42:45 UTC

"The file is being opened or created for the purposes of either a backup or a restore operation. Thus, the server may make appropriate checks to ensure that the caller is capable of overriding whatever security checks have been placed on the file to allow a backup or restore operation to occur."

Similar text is in the description of the local Windows open call.  Various applications (not just backup/restore) e.g. Cygwin, set this flag in order to allow a privileged user (Admin or backup operator) to access files which they otherwise would not have permission to access - but only when this flag is set.
Comment 3 Steve French 2009-07-29 13:47:36 UTC
Created attachment 4481 [details]
wireshark trace showing backup intent flag

Same user (Administrator) mounted to Windows 2003 Domain Controller.  Frame 5 shows the failure (without BACKUP_INTENT flag) and Frame 47 shows the same but with BACKUP_INTENT flag succeeding.

This (with and without flag) was done by trivial modification to Linux cifs client since the customer test case was large, complex
Comment 4 Steve French 2009-07-29 13:49:24 UTC
Created attachment 4482 [details]
patch to force Linux cifs client to send FILE_OPEN_FOR_BACKUP_INTENT on SMB NTCreateX

I tried backup intent flag by rebuilding cifs.ko (Linux client) with this trivial patch.
Comment 5 Steve French 2009-07-29 14:48:00 UTC
Note that Samba 4 defines the flag with a different name:

and that currently Samba 4 torture test for the FindFirst version is the only place where the flag seems to be used (in /torture/raw/search.c)

The defines for this flag, and the NO COMRPESSION option, are included in the libcli/raw/smb.h for Samba 4 (and similarly in Linux cifs client, and in MS-SMB doc):

#define NTCREATEX_OPTIONS_BACKUP_INTENT             0x4000
#define NTCREATEX_OPTIONS_NO_COMPRESSION            0x8000

There is a similar flag on FindFirst (see trans2.h)
Comment 6 Steve French 2009-07-29 15:05:24 UTC
Created attachment 4483 [details]
Adds into smb.h the definitions for all missing create options
Comment 7 Volker Lendecke 2009-08-21 09:37:34 UTC
Pushed the patch, but the feature needs much more discussion.

Comment 8 Steve French 2009-09-17 20:47:24 UTC
FYI - I also had forwarded a Win32 test case for this earlier in the summer to jra - any update?
Comment 9 Steve French 2009-10-02 15:16:51 UTC
Per-jra discussion - make blocker for 3.5.

Biggest obstacle now is getting a good smb-torture case for this, and related ACL (raw/acls.c is too narrow) and deal with the foreign sid issue in constructing a repeatable test case (repeatable test case needed obviously for build verification and future functional testing, and so we don't regress ACLs in the future or across different ACL backends).
Comment 10 Jeremy Allison 2010-01-25 11:46:37 UTC
Re-prioritizing to enhancement as this isn't going to make the 3.5.0 release.
Comment 11 Michael Reissner 2010-02-26 13:47:34 UTC
Created attachment 5428 [details]
Create a file on a remote share with an empty ACL, then try to open it with FILE_FLAG_BACKUP_SEMANTICS.

To use this test, run
  BackupIntentTest.exe your_config.txt

where your_config.txt looks like:

It creates the file as user_1, with an empty ACL.  Then, it tries to open the file as the user that's running the test: this should not be allowed.  It finally impersonates the privileged user, with the Backup privilege enabled, and opens the file for reading with the FILE_FLAG_BACKUP_SEMANTICS flag, which should be allowed.
Comment 12 Jeremy Allison 2010-02-26 19:15:07 UTC
Great ! Thanks a lot. I'll take a look at implementing this for 3.5.1.

Comment 13 Karolin Seeger 2010-05-20 02:52:44 UTC
Updating product.