[cifs-protocol] RE: Create Access Mask

Sebastian Canevari Sebastian.Canevari at microsoft.com
Thu Jul 10 21:23:40 GMT 2008 

Hi Tridge,

I concluded my investigation and future releases of the [MS-SMB] and [MS-SMB2] documents will include something in the lines of:

"If any of the bits in the mask 0x0CE0FE00  is set, the server SHOULD fail the create with STATUS_ACCESS_DENIED"

As a SHOULD, having a PARAMETER_INVALID or ACCESS_DENIED is opened for implementation decisions.

Please let me know if this satisfies your request.

Thanks for helping us improve our documentation.

Regards

Sebastian Canevari
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com

We're hiring


-----Original Message-----
From: tridge at samba.org [mailto:tridge at samba.org]
Sent: Friday, June 06, 2008 10:21 PM
To: Sebastian Canevari
Cc: Interoperability Documentation Help; cifs-protocol at samba.org
Subject: Re: Create Access Mask

Hi Sebastian,

 > I was wondering if you were able to review the information that I
 > provided to you about the matter.

sorry for the slow reply, I've been a bit busy at the plugfest this
week.

 > I've been reviewing the info on the document and I would need a little clarification from you.
 >
 >  The mask that you are using 0D F0 FE 00, includes one bit that's described on the document (ACCESS_SYSTEM_SECURITY 0x01000000).
 >
 >  It's not clear to us that you need this mask. Can you clarify what you're doing that you need it or I'd suggest dropping the bit from the mask as I state next...
 >
 > If not, I would suggest to run your test with the following mask:  0C F0 FE 00

The test sends a separate SMB2 CREATE request for each bit, so it
sends 32 separate CREATE calls. Have a look at this capture:

  http://samba.org/~tridge/smb2_create_vista.cap

Start at frame 33. There you see it trying a create with a access_mask
of 1. Then at frame 37 it tries it with an access_mask of 2, and so on
up to frame 129 where 0x80000000 is tried.

The test put together all the single bits that give ACCESS_DENIED or
PRIVILEGE_NOT_HELD, and gets this mask 0x0df0fe00.

Many of these bits are not explained in 2.2.13.1 of MS-SMB2, but if
they return ACCESS_DENIED or PRIVILEGE_NOT_HELD then that indicates
they are not ignored, and must have some meaning.

So, I think you need to document what the meaning of the bits in
0x0df0fe00 that are not in the table in 2.2.13.1 mean. Some of them
are documented (as you noticed, 0x01000000 is documented), but many of
them aren't. They all should be.

Cheers, Tridge

More information about the cifs-protocol mailing list