[Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
Jeremy Allison
jra at samba.org
Tue Feb 28 10:42:06 MST 2012
On Mon, Feb 27, 2012 at 04:55:29PM -0800, Jeremy Allison wrote:
> On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote:
> > ---------- Forwarded message ----------
> > From: Tom Lee <tlee2951 at gmail.com>
> > Date: Mon, Feb 27, 2012 at 3:10 PM
> > Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask
> > has System Security bit set
> > To: Jeremy Allison <jra at samba.org>
> >
> >
> > Jeremy thanks for your response. I didn't actually build Samba from
> > sources I'm just running the version of Samba that comes with OpenSuse
> > v12.1 which is 3.6.1-34.3.1.x86_64 .
> >
> > I'm pretty sure the chunk of code inside libcli/security/access_check.c you
> > mentioned is enabled with this version, since before I gave the
> > Administrator user SeSecurityPrivilege I was getting the
> > NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that
> > error went away. But then I started getting the NT_STATUS_ACCESS_DENIED
> > coming from the check in open.c smbd_calculate_access_mask.
> >
> > Please let me know if there is something else I should try or if you need
> > any additional info on my configuration. Thanks.
>
> Ok, I've figured it out. The share security mask isn't being
> set correctly when you have these privileges.
>
> If you can build from source code, can you test the
> following patch (should apply cleanly to 3.6.x) ?
Actually, ignore that previous patch (breaks other tests).
Try this one instead - I think this fixes the problem in
the right place.
Jeremy.
-------------- next part --------------
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 34b24f3..f57e57f 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -732,6 +732,33 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
}
/****************************************************************************
+ Setup the share access mask for a connection.
+****************************************************************************/
+
+static void create_share_access_mask(connection_struct *conn, int snum)
+{
+ const struct security_token *token = conn->session_info->security_token;
+
+ share_access_check(token,
+ lp_servicename(snum),
+ MAXIMUM_ALLOWED_ACCESS,
+ &conn->share_access);
+
+ if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
+ conn->share_access |= SEC_FLAG_SYSTEM_SECURITY;
+ }
+ if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+ conn->share_access |= (SEC_RIGHTS_PRIV_RESTORE);
+ }
+ if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+ conn->share_access |= (SEC_RIGHTS_PRIV_BACKUP);
+ }
+ if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+ conn->share_access |= (SEC_STD_WRITE_OWNER);
+ }
+}
+
+/****************************************************************************
Make a connection, given the snum to connect to, and the vuser of the
connecting user if appropriate.
****************************************************************************/
@@ -845,9 +872,7 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc
*
*/
- share_access_check(conn->session_info->security_token,
- lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS,
- &conn->share_access);
+ create_share_access_mask(conn, snum);
if ((conn->share_access & FILE_WRITE_DATA) == 0) {
if ((conn->share_access & FILE_READ_DATA) == 0) {
More information about the samba
mailing list