Bug 6987 - NT_SET_SECURITY_DESC fails
Summary: NT_SET_SECURITY_DESC fails
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks: 6600
  Show dependency treegraph
 
Reported: 2009-12-12 08:33 UTC by Matthieu Patou
Modified: 2010-03-05 01:18 UTC (History)
1 user (show)

See Also:

Attachments
Fix proposal (1.21 KB, patch)
2010-03-01 07:53 UTC, Matthieu Patou 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-12-12 08:33:34 UTC 
With a user of the group administrator but not the default administrator (ie. CN=Administrator,CN=Users,...) the SMB command fails with NT_ACCESS_DENIED.

My hypothesis is that the NT_SET_SECURITY_DESC tries to set a owner that is not the current user but domain admin groups and the command is most probably executing with the right of the user in Linux. As a simple user can not change ownership of a file it is reported as an error to samba which after report it to the caller.
Comment 1 Matthieu Patou 2010-03-01 05:59:25 UTC 
Tridge can you have a look on this pb ?
Comment 2 Matthieu Patou 2010-03-01 07:53:43 UTC 
Created attachment 5435 [details]
Fix proposal

The function was trying to change owner/group but the user doing this might not have the root rights.
So I propose to become root during the time we change uid/gid.
Comment 3 Andrew Bartlett 2010-03-02 03:13:17 UTC 
I have to say, the use of become_root() spooks me.  Please don't merge this until it has been carefully reviewed, and the change in our security architecture is approved.
Comment 4 Matthieu Patou 2010-03-05 01:18:30 UTC 
I test it's ok no more access denied on this kind of request.