[cifs-protocol] MS-SMB2/MS-FSA: setting SD inherited ACL flag "... - TrackingID#2105100040001378

Hung-Chun Yu HungChun.Yu at microsoft.com
Mon May 10 08:14:25 UTC 2021 

Hi Ralph

Thank you for contacting Open Specifications Support. Case 2105100040001378 created to track the issue, and do leave TrackingID#2105100040001378 tag in the Subject line for future reference.
One of our engineers will be contacting you shortly.

Hung-Chun Yu
Escalation Engineer
Microsoft Open Specifications

-----Original Message-----
From: Ralph Boehme <slow at samba.org> 
Sent: Monday, May 10, 2021 12:34 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-SMB2/MS-FSA: setting SD inherited ACL flag "DACL Auto-Inherited" (DI)

Hello dochelp,

I've noticed that a wellknown behaviour with regards to ACL control flags semantics seems to be undocumented. At least, I couldn't find any reference that would explain the behaviour of a Windows SMB server.

Fwiw, Samba implements the same behaviour since many many years.

What I'm observing is that when setting an SD on a file or directory, the resulting value of the flag "DACL Auto-Inherited" (DI) depends on the values of both "DACL Auto-Inherited" (DI) and DACL Computed Inheritance Required (DC).

Only if DI and DC are set in the client SD, the resulting SD will have DI.

Following along MS-SMB2 and MS-FSA I can only find the following applicable sections:

   MS-SMB2 3.3.5.21.3 Handling SMB2_0_INFO_SECURITY

   7. The server MUST call into the underlying object store to set
   the security on the object.<377>

   <377> Section 3.3.5.21.3: Windows performs SMB2 SET_INFO
   SMB2_0_INFO_SECURITY processing via Server Requests Setting
   of Security Information [MS-FSA] section 2.1.5.16.

   MS-FSA 2.1.5.16 Server Requests Setting of Security Information

   "... . The object store MUST set Open.File.SecurityDescriptor
   to InputBuffer."

I'm reading this as "the object store must store the unmodified SD received from the client ".

Can you please check if the observed behaviour is indeed missing from the documentation and should be added?

Thanks!
-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.dat
Type: application/pgp-signature
Size: 855 bytes
Desc: OpenPGP_signature.dat
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20210510/7601edf6/OpenPGP_signature.sig>

More information about the cifs-protocol mailing list