FILE_OPEN_FOR_BACKUP_INTENT and Se{Backup,Restore}Privilege

Richard Sharpe realrichardsharpe at
Sat Apr 7 08:36:30 MDT 2012

Hi folks,

Based on the following:

I think we should remove the checking of Se{Backup,Restore}Privilege
from se_access_check and should place the check for this in open_file,
but for that we will also have to pass create_options into open_file I
believe. We can then check if create_options contains
FILE_OPEN_FOR_BACKUP_INTENT, and if so, then check if the user has
SeBackupPrivilege and allow the open, but only of they did not also
ask for WRITE access, in which case they must have SeRestorePrivilege.

However, we might also have to check that they have not asked for
things inconsistent with FILE_OPEN_FOR_BACKUP_INTENT, like sharing
modes etc. It will probably take some research to figure out the
actual combinations Windows allows.

Comments? Jeremy?

(I am resurrecting this topic because I have been bitten by it.)

Richard Sharpe

More information about the samba-technical mailing list