diff options
author | Richard Sharpe <realrichardsharpe@gmail.com> | 2012-03-09 14:54:38 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2012-03-10 01:33:44 +0100 |
commit | 1e8141f40ae7b67a45906f26483caff0a7cca7ed (patch) | |
tree | 06b872c482d37f15dda778d69636011c5b7dfd97 | |
parent | 177c61bd72af3f8bf4bad5221e1ff67084bde397 (diff) | |
download | samba-1e8141f40ae7b67a45906f26483caff0a7cca7ed.tar.gz samba-1e8141f40ae7b67a45906f26483caff0a7cca7ed.tar.bz2 samba-1e8141f40ae7b67a45906f26483caff0a7cca7ed.zip |
Fix bug #8797 - Samba does not correctly handle DENY ACEs when privileges apply.
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Mar 10 01:33:45 CET 2012 on sn-devel-104
-rw-r--r-- | libcli/security/access_check.c | 54 |
1 files changed, 28 insertions, 26 deletions
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index a9b618f577..d9f6293a46 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -178,38 +178,12 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, bits_remaining)); } - /* s3 had this with #if 0 previously. To be sure the merge - doesn't change any behaviour, we have the above #if check - on _SAMBA_BUILD_. */ - if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { - if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { - bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; - } else { - return NT_STATUS_PRIVILEGE_NOT_HELD; - } - } - /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */ if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) && security_token_has_sid(token, sd->owner_sid)) { bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); } - /* TODO: remove this, as it is file server specific */ - if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && - security_token_has_privilege(token, SEC_PRIV_RESTORE)) { - bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); - } - if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && - security_token_has_privilege(token, SEC_PRIV_BACKUP)) { - bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); - } - - if ((bits_remaining & SEC_STD_WRITE_OWNER) && - security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { - bits_remaining &= ~(SEC_STD_WRITE_OWNER); - } - /* a NULL dacl allows access */ if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { *access_granted = access_desired; @@ -247,6 +221,34 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, bits_remaining |= explicitly_denied_bits; + /* + * We check privileges here because they override even DENY entries. + */ + + /* Does the user have the privilege to gain SEC_PRIV_SECURITY? */ + if (bits_remaining & SEC_FLAG_SYSTEM_SECURITY) { + if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { + bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; + } else { + return NT_STATUS_PRIVILEGE_NOT_HELD; + } + } + + /* TODO: remove this, as it is file server specific */ + if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && + security_token_has_privilege(token, SEC_PRIV_RESTORE)) { + bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); + } + if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && + security_token_has_privilege(token, SEC_PRIV_BACKUP)) { + bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); + } + + if ((bits_remaining & SEC_STD_WRITE_OWNER) && + security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { + bits_remaining &= ~(SEC_STD_WRITE_OWNER); + } + done: if (bits_remaining != 0) { *access_granted = bits_remaining; |