[cifs-protocol] [REG:111052652308584] [ttalpey at microsoft.com: Reminder -- share secdesc and smb2 echo?]

Mon Jun 13 09:42:05 MDT 2011

Hi Volker:
Thanks for your reply. 
I'll look into the questions raised by you and will be in touch as soon as I have an answer.
I did not find a trace attached to this email. Please send me the trace you mentioned.

The changes I sent you will be incorporated in a future release of MS-CIFS/MS-SMB2

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at allisong at microsoft.com

-----Original Message-----
From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE]
Sent: Sunday, June 12, 2011 4:17 AM
To: Obaid Farooqi
Cc: cifs-protocol at samba.org; pfif at tridgell.net; MSSolve Case Email
Subject: Re: [REG:111052652308584] [ttalpey at microsoft.com: Reminder -- share secdesc and smb2 echo?]

On Fri, Jun 10, 2011 at 03:57:19PM +0000, Obaid Farooqi wrote:
> Your observation is correct, and it is the case that the CIFS, SMB or
> SMB2 server MUST first verify that the Share.FileSecurity allows the 
> client-supplied DesiredAccess. If any of the nonzero bits of 
> DesiredAccess are not permitted for the user by the 
> Share.FileSecurity, the server MUST fail the request with 
> STATUS_ACCESS_DENIED.

Thanks. This is for the ntcreate call, right?

> Please let me know if it answers your question. If it does, I'll 
> consider this issue resolved.

It does not fully answer it, sorry. Attached find a network trace against the server where user "vlendec" (the one I'm connecting as) does not have the "full access" right as in the last traces. However, in frames 38/39 it seems that I was able to create a new file, giving it a custom security descriptor. I would have thought that when setting secdescs is forbidden then creating a new file would not allow me to set custom file descriptors using the nttrans create call.
This way it is possible for a user to circumvent the non-ability to set secdescs by just making a copy into a new file.

BTW, the trace is from re-syncing an offline folder after the server came back.

Can you explain that or show where this exception is documented? And, will this end up in the documentation somewhere?

Thanks,

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen

Microsoft is committed to protecting your privacy.  Please read the Microsoft Privacy Statement for more information.The above is an email for a support case from Microsoft Corp.REPLY ALL TO THIS MESSAGE or INCLUDE casemail at microsoft.com IN YOUR REPLY if you want your response added to the case automatically. For technical assistance, please include the Support Engineer on the TO: line. Thank you.