[cifs-protocol] [REG:111052652308584] [Pfif] [ttalpey at microsoft.com: Reminder -- share secdesc and smb2 echo?]
obaidf at microsoft.com
Fri Jul 1 13:46:41 MDT 2011
We have completed our investigation regarding your inquiry on WRITE_DAC permission on a share.
The steps through which access check must go before an operation is allowed is as follows:
1. The desired access is checked against the share permissions. If any of the desired access bits are not set in the share permission, access is denied regardless of what access rights user has for the file, directory, etc., consistent with the situation as described in our initial response.
2. If share permission check results in access allowed, then SMB server makes the request to the object store which runs its own access checks.
As part of discretionary access control, Windows always allows a security descriptor to be optionally provided when creating a file. And, the share access/file access needed to create a file does not require WRITE_DAC access. So, as part of creating a file, you can write a custom DACL without requesting WRITE_DAC.
If you notice in your trace change.cap, frame 11 that the desired access for NT TRANSACT CREATE does not include WRITE_DAC. As such, it passes the share access check.
In case of frame 15 of change.cap, you are specifically requesting WRITE_DAC access and this bit is not set in share permissions for this particular user. Therefore, the second access is denied.
MS-CIFS/MS-SMB/MS-SMB2 will be modified to document the role of share permissions along the lines of the description above.
Please let me know if it answers your question. If it does, I'll consider this issue resolved.
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at allisong at microsoft.com
From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE]
Sent: Tuesday, June 28, 2011 11:57 AM
To: Obaid Farooqi
Cc: pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [Pfif] [REG:111052652308584] [ttalpey at microsoft.com: Reminder -- share secdesc and smb2 echo?]
On Tue, Jun 28, 2011 at 04:55:53PM +0000, Obaid Farooqi wrote:
> Hi Volker:
> The information you gave is sufficient. We are still working on it.
> I'll be in touch as soon as I have an answer.
Any expected timeframe? I have customers sitting on my back.
We might have to implement a short-term hack if this takes weeks or months.
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
Microsoft is committed to protecting your privacy. Please read the Microsoft Privacy Statement for more information.The above is an email for a support case from Microsoft Corp.REPLY ALL TO THIS MESSAGE or INCLUDE casemail at microsoft.com IN YOUR REPLY if you want your response added to the case automatically. For technical assistance, please include the Support Engineer on the TO: line. Thank you.
More information about the cifs-protocol