The Samba-Bugzilla – Bug 6583
Samba server ignores FILE_OPEN_FOR_BACKUP_INTENT
Last modified: 2012-10-25 08:29:58 UTC
CreateOption: CREATE_OPEN_BACKUP_INTENT (0x00004000) is ignored by Samba server on open (NTCreateX SMB), but Windows uses it to allow a privileged user to open a file for which it does not have permission (without this flag the admin user should get access denied trying to open the file).
Do you have a test case for this, or a use case to show how it is supposed to work ?
MS says FILE_OPEN_FOR_BACKUP_INTENT (SMB NTCreateX CreateOption):
"The file is being opened or created for the purposes of either a backup or a restore operation. Thus, the server may make appropriate checks to ensure that the caller is capable of overriding whatever security checks have been placed on the file to allow a backup or restore operation to occur."
Similar text is in the description of the local Windows open call. Various applications (not just backup/restore) e.g. Cygwin, set this flag in order to allow a privileged user (Admin or backup operator) to access files which they otherwise would not have permission to access - but only when this flag is set.
Created attachment 4481 [details]
wireshark trace showing backup intent flag
Same user (Administrator) mounted to Windows 2003 Domain Controller. Frame 5 shows the failure (without BACKUP_INTENT flag) and Frame 47 shows the same but with BACKUP_INTENT flag succeeding.
This (with and without flag) was done by trivial modification to Linux cifs client since the customer test case was large, complex
Created attachment 4482 [details]
patch to force Linux cifs client to send FILE_OPEN_FOR_BACKUP_INTENT on SMB NTCreateX
I tried backup intent flag by rebuilding cifs.ko (Linux client) with this trivial patch.
Note that Samba 4 defines the flag with a different name:
and that currently Samba 4 torture test for the FindFirst version is the only place where the flag seems to be used (in /torture/raw/search.c)
The defines for this flag, and the NO COMRPESSION option, are included in the libcli/raw/smb.h for Samba 4 (and similarly in Linux cifs client, and in MS-SMB doc):
#define NTCREATEX_OPTIONS_BACKUP_INTENT 0x4000
#define NTCREATEX_OPTIONS_NO_COMPRESSION 0x8000
There is a similar flag on FindFirst (see trans2.h)
Created attachment 4483 [details]
Adds into smb.h the definitions for all missing create options
Pushed the patch, but the feature needs much more discussion.
FYI - I also had forwarded a Win32 test case for this earlier in the summer to jra - any update?
Per-jra discussion - make blocker for 3.5.
Biggest obstacle now is getting a good smb-torture case for this, and related ACL (raw/acls.c is too narrow) and deal with the foreign sid issue in constructing a repeatable test case (repeatable test case needed obviously for build verification and future functional testing, and so we don't regress ACLs in the future or across different ACL backends).
Re-prioritizing to enhancement as this isn't going to make the 3.5.0 release.
Created attachment 5428 [details]
Create a file on a remote share with an empty ACL, then try to open it with FILE_FLAG_BACKUP_SEMANTICS.
To use this test, run
where your_config.txt looks like:
It creates the file as user_1, with an empty ACL. Then, it tries to open the file as the user that's running the test: this should not be allowed. It finally impersonates the privileged user, with the Backup privilege enabled, and opens the file for reading with the FILE_FLAG_BACKUP_SEMANTICS flag, which should be allowed.
Great ! Thanks a lot. I'll take a look at implementing this for 3.5.1.