samba_3_0/source/include/rpc_secdes.h ?

Gerald (Jerry) Carter jerry at
Fri Jan 28 14:25:45 GMT 2005

Hash: SHA1

Andrew Tridgell wrote:

| The "generic" bits are all mapped to "specific" bits
| as soon as the access mask is received by the server.

I understand the difference between standard and generic
bits see the other mail I sent you off list.

| So if there is any code in Samba3 that ever looks
| at the generic bits for any other purpose than mapping them
| to the specific bits then that is a bug.

No.  What I was trying to fix was the interaction between
se_access_check and user rights (which I have now done).
Sorry.  I should have sent more detail in the original mail.

| so the name STANDARD_GENERIC_WRITE is quite meaningless.

It was a typo I realized as soon as I sent the mail.  Which
is why I sent you a follow up mail off list (not to create more

(which I now see that you got :) )

|  > obviously I meant STANDARD_RIGHTS_WRITE_ACCESS (not generic).
| The term STANDARD_RIGHTS_WRITE_ACCESS also makes no sense. The
| "standard" bits don't include a "write access" bit at all.
| They do include a WRITE_DACL bit and a WRITE_OWNER bit,
| but those have nothing to do with file write access.
| The closest match I can think of is SEC_RIGHTS_FILE_WRITE,
| which is the set of bits that the SEC_GENERIC_WRITE bit
| maps to for files and directories.
| I know this might seem like nit-picking, but I think
| that one of the reasons the Samba3 access control code
| is so hard to follow is the mixing up of these terms
| in confusing ways.

The issue in the the access mask requested by the client
in the _samr_create_user() call.  The standard bits 0x000d0000
are set which implies


And while the name is somewhat misleading, the write access
mask for user objects is defined as

	 SA_RIGHT_USER_CHANGE_GROUP_MEM) /* 0x000204e4 */

The problem was really the use of


What I was trying to determine was if the define for
STANDARD_RIGHTS_WRITE_ACCESS was derived from actual work or
just complete fiction.  After talking to jeremy and yourself,
it appears to be fiction or at least an incomplete placeholder.

It was used in three other places:  rpc_lsa.h, rpc_spoolss.h
and smb.h.  For now I just


in smb.h and rpc_lsa.h.  I think the combination used in the
create_user() call is probably the same one for the spoolss
pipes (admin acccess always request 0x000f000c).

cheers, jerry
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list