From 44590c1b70c0a24f853c02d5fcdb3c609401e2ca Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Tue, 13 Mar 2012 16:47:17 -0700 Subject: Fix bug #8795 - Samba does not handle the Owner Rights permissions at all Signed-off-by: Jeremy Allison Autobuild-User: Jeremy Allison Autobuild-Date: Wed Mar 14 02:26:34 CET 2012 on sn-devel-104 --- libcli/security/access_check.c | 52 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 46 insertions(+), 6 deletions(-) (limited to 'libcli/security/access_check.c') diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index d9f6293a46..7f08cb5ed8 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -159,6 +159,16 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, uint32_t i; uint32_t bits_remaining; uint32_t explicitly_denied_bits = 0; + /* + * Up until Windows Server 2008, owner always had these rights. Now + * we have to use Owner Rights perms if they are on the file. + * + * In addition we have to accumulate these bits and apply them + * correctly. See bug #8795 + */ + uint32_t owner_rights_allowed = 0; + uint32_t owner_rights_denied = 0; + bool owner_rights_default = true; *access_granted = access_desired; bits_remaining = access_desired; @@ -178,12 +188,6 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, bits_remaining)); } - /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */ - if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) && - security_token_has_sid(token, sd->owner_sid)) { - bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); - } - /* a NULL dacl allows access */ if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { *access_granted = access_desired; @@ -202,6 +206,26 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, continue; } + /* + * We need the Owner Rights permissions to ensure we + * give or deny the correct permissions to the owner. Replace + * owner_rights with the perms here if it is present. + * + * We don't care if we are not the owner because that is taken + * care of below when we check if our token has the owner SID. + * + */ + if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) { + if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) { + owner_rights_allowed |= ace->access_mask; + owner_rights_default = false; + } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { + owner_rights_denied |= ace->access_mask; + owner_rights_default = false; + } + continue; + } + if (!security_token_has_sid(token, &ace->trustee)) { continue; } @@ -219,6 +243,22 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, } } + /* The owner always gets owner rights as defined above. */ + if (security_token_has_sid(token, sd->owner_sid)) { + if (owner_rights_default) { + /* + * Just remove them, no need to check if they are + * there. + */ + bits_remaining &= ~(SEC_STD_WRITE_DAC | + SEC_STD_READ_CONTROL); + } else { + bits_remaining &= ~owner_rights_allowed; + bits_remaining |= owner_rights_denied; + } + } + + /* Explicitly denied bits always override */ bits_remaining |= explicitly_denied_bits; /* -- cgit