CreateOption: CREATE_OPEN_BACKUP_INTENT (0x00004000) is ignored by Samba server on open (NTCreateX SMB), but Windows uses it to allow a privileged user to open a file for which it does not have permission (without this flag the admin user should get access denied trying to open the file).
Do you have a test case for this, or a use case to show how it is supposed to work ? Jeremy.
MS says FILE_OPEN_FOR_BACKUP_INTENT (SMB NTCreateX CreateOption): "The file is being opened or created for the purposes of either a backup or a restore operation. Thus, the server may make appropriate checks to ensure that the caller is capable of overriding whatever security checks have been placed on the file to allow a backup or restore operation to occur." Similar text is in the description of the local Windows open call. Various applications (not just backup/restore) e.g. Cygwin, set this flag in order to allow a privileged user (Admin or backup operator) to access files which they otherwise would not have permission to access - but only when this flag is set.
Created attachment 4481 [details] wireshark trace showing backup intent flag Same user (Administrator) mounted to Windows 2003 Domain Controller. Frame 5 shows the failure (without BACKUP_INTENT flag) and Frame 47 shows the same but with BACKUP_INTENT flag succeeding. This (with and without flag) was done by trivial modification to Linux cifs client since the customer test case was large, complex
Created attachment 4482 [details] patch to force Linux cifs client to send FILE_OPEN_FOR_BACKUP_INTENT on SMB NTCreateX I tried backup intent flag by rebuilding cifs.ko (Linux client) with this trivial patch.
Note that Samba 4 defines the flag with a different name: and that currently Samba 4 torture test for the FindFirst version is the only place where the flag seems to be used (in /torture/raw/search.c) The defines for this flag, and the NO COMRPESSION option, are included in the libcli/raw/smb.h for Samba 4 (and similarly in Linux cifs client, and in MS-SMB doc): #define NTCREATEX_OPTIONS_BACKUP_INTENT 0x4000 #define NTCREATEX_OPTIONS_NO_COMPRESSION 0x8000 There is a similar flag on FindFirst (see trans2.h)
Created attachment 4483 [details] Adds into smb.h the definitions for all missing create options
Pushed the patch, but the feature needs much more discussion. Volker
FYI - I also had forwarded a Win32 test case for this earlier in the summer to jra - any update?
Per-jra discussion - make blocker for 3.5. Biggest obstacle now is getting a good smb-torture case for this, and related ACL (raw/acls.c is too narrow) and deal with the foreign sid issue in constructing a repeatable test case (repeatable test case needed obviously for build verification and future functional testing, and so we don't regress ACLs in the future or across different ACL backends).
Re-prioritizing to enhancement as this isn't going to make the 3.5.0 release. Jeremy.
Created attachment 5428 [details] Create a file on a remote share with an empty ACL, then try to open it with FILE_FLAG_BACKUP_SEMANTICS. To use this test, run BackupIntentTest.exe your_config.txt where your_config.txt looks like: server=YOUR_SERVER share=YOUR_SHARE user_1=USER@YOUR.DOMAIN pswd_1=USER1PSWD priv_user=USER_W_BACKUP_PRIVS@YOUR.DOMIN priv_pswd=PRIVPSWD It creates the file as user_1, with an empty ACL. Then, it tries to open the file as the user that's running the test: this should not be allowed. It finally impersonates the privileged user, with the Backup privilege enabled, and opens the file for reading with the FILE_FLAG_BACKUP_SEMANTICS flag, which should be allowed.
Great ! Thanks a lot. I'll take a look at implementing this for 3.5.1. Jeremy.
Updating product.
Hi, We are using 4.3.11 stack and observing the same issue. i.e Server simply ignores when the create request coming with BACKUP INTENT flag and enforcing the user to have required permissions on the object though he has backup privileges. Also, I found these checks in se_file_access_check(). /* Check if we should override with privileges. */ if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && security_token_has_privilege(token, SEC_PRIV_BACKUP)) { bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); } if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && security_token_has_privilege(token, SEC_PRIV_RESTORE)) { bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); } Priv and Restore flags are defined as: #define SEC_RIGHTS_PRIV_BACKUP ( SEC_STD_READ_CONTROL|SEC_FLAG_SYSTEM_SECURITY|SEC_RIGHTS_FILE_READ|SEC_DIR_TRAVERSE ) #define SEC_RIGHTS_PRIV_RESTORE ( SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_FLAG_SYSTEM_SECURITY|SEC_RIGHTS_FILE_WRITE|SEC_DIR_ADD_FILE|SEC_DIR_ADD_SUBDIR|SEC_STD_DELETE ) Here we seem to be checking for SYSTEM SECURITY + Read perms as Backup right and SYSTEM SECURITY + Write perms for Restore rights. In our case, create request came with BACKUP intent and with write access. SMB2 (Server Message Block Protocol version 2) SMB2 Header Create Request (0x05) StructureSize: 0x0039 Oplock: No oplock (0x00) Impersonation: Impersonation (2) Create Flags: 0x0000000000000000 Access Mask: 0x00100191 .... .... .... .... .... .... .... ...1 = Read: READ access .... .... .... .... .... .... .... ..0. = Write: NO write access .... .... .... .... .... .... .... .0.. = Append: NO append access .... .... .... .... .... .... .... 0... = Read EA: NO read extended attributes access .... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access .... .... .... .... .... .... ..0. .... = Execute: NO execute access .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access .... .... .... ...0 .... .... .... .... = Delete: NO delete access .... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT granted to owner, group and ACL of the SID .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set File Attributes: 0x00000010 Share Access: 0x00000003, Read, Write Disposition: Open If (if file exists open it, else create it) (3) Create Options: 0x00004021 .... .... .... .... .... .... .... ...1 = Directory: File being created/opened must be a directory .... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing .... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially .... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed .... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous .... .... .... .... .... .... ..1. .... = Sync I/O Nonalert: All operations SYNCHRONOUS, waits not subject to alert .... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory .... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set .... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set .... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes .... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names .... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly .... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed .... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set .... .... .... .... .1.. .... .... .... = Backup Intent: This is a create with BACKUP INTENT .... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create .... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set .... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open .... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set .... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query Filename: final-rc.gchild.child1.automation.nutanix.com\genfinal ExtraInfo SMB2_CREATE_DURABLE_HANDLE_REQUEST SMB2_CREATE_ALLOCATION_SIZE SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_QUERY_ON_DISK_ID Would like to know if there is any work in progress to fix this issue. Looks like mostly we will need to check if the create flags has the BACKUP INTENT option, we will need to check if the incoming user has the BACKUP Privilege. Let me know if there is any thing else which we need to worry about.
I fixed this for directory listing with backup intent, but not for the open. Should be fairly simple but *beware* of the security implications when you get an access denied and then decide to override as root...
(In reply to Jeremy Allison from comment #15) As Steve updated in comment #2, MS-SMB2 spec seems to be suggesting to override all the permissions if the open request comes with this flag and the user has the necessary privileges(though it is not very clear if some or all can be overriden). Windows seems to be allowing this case without any warning. Shouldn't we follow the windows here?
Oh yes, absolutely we should. The reason we haven't is that people usually set up a special share for Samba backups, with "admin users = XXX" set for a path that mirrors the regular share they want to back up. This does the same thing as 'backup intent' but can be done with existing code.
You know, I think I fixed this a long time ago.... There's certainly code in smbd that implements this.
(In reply to Jeremy Allison from comment #18) Oh never mind, I'm thinking of the directory listing code.