[cifs-protocol] [MS-SMB2] allow read based on FILE_EXECUTE permission [116073114482785]

Obaid Farooqi obaidf at microsoft.com
Wed Aug 3 19:03:37 UTC 2016


Hi Uri:
I am looking into this and will be in touch as soon as I have an answer.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com

-----Original Message-----
From: Uri Simchoni [mailto:uri at samba.org] 
Sent: Wednesday, August 3, 2016 6:55 AM
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: Re: [MS-SMB2] allow read based on FILE_EXECUTE permission [116073114482785]

On 08/01/2016 01:41 AM, Obaid Farooqi wrote:
> Hi Uri:
> Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> Exceeding your expectations is my highest priority.  If you would like 
> to provide feedback on your case you may contact my manager at 
> ramagane at Microsoft dot com
> 
> -----Original Message-----
> From: Uri Simchoni [mailto:uri at samba.org]
> Sent: Sunday, July 31, 2016 12:45 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org
> Subject: [MS-SMB2] allow read based on FILE_EXECUTE permission
> 
> Hi,
> 
> This question concerns the right to read from a file opened with FILE_EXECUTE but without FILE_READ_DATA in the desired access mask.
> 
> According to [MS-SMB2] section section 3.3.5.12, about how to process a READ request:
> 
> If Open.GrantedAccess does not allow for FILE_READ_DATA, the request MUST be failed with STATUS_ACCESS_DENIED.
> 
> However, testing against Windows Server 2012R2 shows that if 
> FILE_EXECUTE is granted instead of FILE_READ_DATA, the read is also 
> allowed (I suppose this has to do with running executables...)
> 
> The attached tcpdump packet trace demonstrates that - in packet 22, EOF is returned instead of ACCESS_DENIED.
> 
> Can you please clarify?
> 
> Thanks,
> Uri.
> 

The packet capture I originally attached was by (modified) smbtorture command. However the real use case where we see this is when loading a driver from a remote share:
1. samba ad member server joined to domain and client joined 2. put a driver file on a share and give everyone full control 3. run the following from elevated command prompt:
sc create mydriver type=kernel start=demand error=normal binpath=\\my-server.my-domain.local\my-share\mydriver.sys
sc start mydriver

That would generate the "open for execute and read" pattern.

Thanks,
Uri.


More information about the cifs-protocol mailing list