se_access_checks() on SAMR pipe ?

Andrew Bartlett abartlet at samba.org
Wed Jan 26 21:23:20 GMT 2005 

On Wed, 2005-01-26 at 10:34 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew,
> 
> Can you give me some background on how the current
> implementation in 3.0 came about?  Right now it looks
> incomplete.  

That's probably the nicest way to describe the state it got left in...

So, the work (deciding on the default ACL and access masks) was based on
non-automated, non-reproduced testing by setting the access desired
flags and attempting operations.  Clearly many of these were got wrong,
and because it was never placed into a torture test, we never did
continued verification.  

> And in some ways incompatible with
> the privilege model.
> 
> For example, currently we give full access to the
> BUILTIN\Administrators, BUILTIN\Account Operators,
> and (if we are a DC the DOMAIN\Domain Admins).
> Everyone gets Execute|Read.
> 
> However, _samr_create_user() checks for
> SA_RIGHT_DOMAIN_CREATE_USER which means that you have
> to be a member of one of the full access groups even
> if you have the SeMachineAccountPrivilege or the
> SeAddUsersPrivilege.

So, my understanding is that privileges should trump access control
checks, and I would have expected that they would translate into extra
bits on the permitted access on the handle, then checked in the
subsequent operations.  We shouldn't have ACL or privilege evaluation on
the set info calls, just mask comparison.  

In Samba3, the bad interaction was caused by the fact that after the
access check (which short-circuited for root), we would not become root,
so the ugly hack in pdb_ldap.c stayed in effect.  The intention was to,
after we got this 'right', become root for the duration of those
operations.

Well, that's my memory of how we thought it should have worked, but I'll
have to write a torture test for Samba4 to really figure it what we
should have done (which should help inform Samba4 when we come to this
bridge).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050127/fc00e496/attachment.bin

More information about the samba-technical mailing list