Bug 8784 - Open file with SEC_FLAG_SYSTEM_SECURITY mask requested is blocked by share security mask.
Open file with SEC_FLAG_SYSTEM_SECURITY mask requested is blocked by share se...
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: File services
unspecified
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-28 21:00 UTC by Jeremy Allison
Modified: 2012-05-25 19:12 UTC (History)
0 users

See Also:


Attachments
git-am fix for 3.6.next (2.43 KB, patch)
2012-02-28 21:05 UTC, Jeremy Allison
obnox: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2012-02-28 21:00:42 UTC
Reported by Tom Lee <tlee2951@gmail.com>:

> On Fri, Feb 24, 2012 at 09:00:36AM -0700, Tom Lee wrote:
> > I've been trying to run a .NET app on Windows 2008 against a Samba v3.6.1
> > server running on OpenSuse x64 v12.1 but keep running into problems.
> >
> > What the .NET app is doing is trying to read the ACL for a directory
> using
> > UNC path pointing to a directory below the "users" share on the samba
> > server.   The app is running as user Administrator. On the samba side the
> > Administrator user has been given the following priviliges:
> >  SeSecurityPrivilege, SeRestorePrivilege, SeBackupPrivilege, and
> > SeTakeOwnershipPrivilege.
> >
> > Specifically the .NET/C# method call being made is below: In this case
> > srcFolderName is something like "\\SambaServer\users\Administrator":
> >
> > DirectorySecurity srcFolderSecurity =
> > Directory.GetAccessControl(srcFolderName,  AccessControlSections.All);
> >
> > Calling this method results in an Exception. I can see from a Wireshark
> > trace that the exception corresponds to an error being returned from a
> call
> > to NTCreateAndx for a user folder named "\Administrator" and Access Mask
> > set to 0x01020080. The bit that seems to cause problems when set is the
> > System Security bit (0x01000000).
> >
> > Originally before I had given user Administrator any privileges (using
> net
> > rpc rights grant...), the NTCreateAndX response error was
> > *STATUS_PRIVILEGE_NOT_HELD.
> >  After granting privileges the error changed to STATUS_ACCESS_DENIED. *
> > *
> > *
> > *Looking at the log.smbd with debugLevel = 10. I can see the following
> > relevant trace info:*
> > *
> > *
> > *
> > [2012/02/23 12:35:24.190992, 10]
> > smbd/open.c:1430(smbd_calculate_access_mask)
> >   smbd_calculate_access_mask: Access denied on file Administrator:
> rejected
> > by share access mask[0x101F01FF] orig[0x01020080] mapped[0x01020080]
> > reject[0x01000000]
> > [2012/02/23 12:35:24.191049, 10] smbd/open.c:1761(open_file_ntcreate)
> >   open_file_ntcreate: smbd_calculate_access_mask on file Administrator
> > returned NT_STATUS_ACCESS_DENIED
> > [2012/02/23 12:35:24.191107,  5] smbd/files.c:464(file_free)
> >   freed files structure 9877 (0 used)
> > [2012/02/23 12:35:24.191162, 10] smbd/open.c:3420(create_file_unixpath)
> >   create_file_unixpath: NT_STATUS_ACCESS_DENIED
> > [2012/02/23 12:35:24.191216, 10] smbd/open.c:3700(create_file_default)
> >   create_file: NT_STATUS_ACCESS_DENIED
Comment 1 Jeremy Allison 2012-02-28 21:05:02 UTC
Created attachment 7352 [details]
git-am fix for 3.6.next

Fix applied to master, reported as fixing the bug by Tom Lee.

Jeremy.
Comment 2 Jeremy Allison 2012-02-29 18:08:08 UTC
Comment on attachment 7352 [details]
git-am fix for 3.6.next

vl is out at the moment.
Comment 3 Michael Adam 2012-02-29 18:49:12 UTC
Comment on attachment 7352 [details]
git-am fix for 3.6.next

While this is not 100% correct (in adding the user's privileges to the tcon's share_access mask), I guess it is ok to take this for 3.6.

In the long run, we might consider adding a mask to the user context and adding that up with the conn->share_access upon access.
Comment 4 Jeremy Allison 2012-02-29 18:50:13 UTC
Re-assigning to Karolin for inclusion in 3.6.next.
Jeremy.
Comment 5 Karolin Seeger 2012-02-29 20:30:57 UTC
Pushed to v3-6-test.
Closing out bug report.

Thanks!