[cifs-protocol] MS-SMB2/MS-FSA: setting SD inherited ACL flag "DACL Auto-Inherited" (DI)
slow at samba.org
Mon May 10 07:33:51 UTC 2021
I've noticed that a wellknown behaviour with regards to ACL control
flags semantics seems to be undocumented. At least, I couldn't find any
reference that would explain the behaviour of a Windows SMB server.
Fwiw, Samba implements the same behaviour since many many years.
What I'm observing is that when setting an SD on a file or directory,
the resulting value of the flag "DACL Auto-Inherited" (DI) depends on
the values of both "DACL Auto-Inherited" (DI) and DACL Computed
Inheritance Required (DC).
Only if DI and DC are set in the client SD, the resulting SD will have DI.
Following along MS-SMB2 and MS-FSA I can only find the following
MS-SMB2 188.8.131.52.3 Handling SMB2_0_INFO_SECURITY
7. The server MUST call into the underlying object store to set
the security on the object.<377>
<377> Section 184.108.40.206.3: Windows performs SMB2 SET_INFO
SMB2_0_INFO_SECURITY processing via Server Requests Setting
of Security Information [MS-FSA] section 220.127.116.11.
MS-FSA 18.104.22.168 Server Requests Setting of Security Information
"... . The object store MUST set Open.File.SecurityDescriptor
I'm reading this as "the object store must store the unmodified SD
received from the client ".
Can you please check if the observed behaviour is indeed missing from
the documentation and should be added?
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 840 bytes
Desc: OpenPGP digital signature
More information about the cifs-protocol