[cifs-protocol] [Pfif] [REG:111052652308584] [ttalpey at microsoft.com: Reminder -- share secdesc and smb2 echo?]
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Jun 28 09:25:21 MDT 2011
Hi!
Any updates here? Is the information I gave you sufficient,
or do you need more?
With best regards,
Volker Lendecke
On Sat, Jun 18, 2011 at 07:29:09PM +0200, Volker Lendecke wrote:
> On Fri, Jun 17, 2011 at 08:22:05PM +0000, Obaid Farooqi wrote:
> > It looks like we need the trace to properly answer this question.
> > I appreciate your help and understanding in this matter.
>
> Ok. Attached find two screenshots that show the share
> secdesc on a German XP box (w2k8 behaves the same in this
> respect). Also find corresponding traces.
>
> fullcontrol.cap shows that given that vl is owner
> (S-1-5-21-1757981266-1482476501-515967899-1003 is xp\vl) of
> the file but does not have the WRITE_DAC rights from the
> secdesc in frame 14. Nevertheless, the owner implicit
> WRITE_DAC makes the NTCREATE in frame 15 asking for
> WRITE_DAC succeed.
>
> change.cap is similar, this time the share secdesc does not
> grant "full control". You can see in frame 16 that asking
> for WRITE_DAC is denied. However, setting the secdesc via
> the NT_TRANSACT_CREATE in frame 11 works. In frame 12 you
> can see this file was newly created.
>
> The question is: Why can I set a security descriptor on a
> newly created file although the share secdesc denies
> WRITE_DAC?
>
> Are there other exceptions?
>
> With best regards,
>
> Volker Lendecke
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> _______________________________________________
> Pfif mailing list
> Pfif at mail.tridgell.net
> http://lists.tridgell.net/cgi-bin/mailman/listinfo/pfif
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
More information about the cifs-protocol
mailing list