FILE_OPEN_FOR_BACKUP_INTENT and Se{Backup,Restore}Privilege

Jeremy Allison jra at
Sat Apr 7 20:34:29 MDT 2012

On Sat, Apr 07, 2012 at 07:36:30AM -0700, Richard Sharpe wrote:
> Hi folks,
> Based on the following:
> I think we should remove the checking of Se{Backup,Restore}Privilege
> from se_access_check and should place the check for this in open_file,
> but for that we will also have to pass create_options into open_file I
> believe. We can then check if create_options contains
> FILE_OPEN_FOR_BACKUP_INTENT, and if so, then check if the user has
> SeBackupPrivilege and allow the open, but only of they did not also
> ask for WRITE access, in which case they must have SeRestorePrivilege.
> However, we might also have to check that they have not asked for
> things inconsistent with FILE_OPEN_FOR_BACKUP_INTENT, like sharing
> modes etc. It will probably take some research to figure out the
> actual combinations Windows allows.
> Comments? Jeremy?
> (I am resurrecting this topic because I have been bitten by it.)

Hmmmm. Maybe :-). We still need more tests to understand exactly
what Windows does here. I have some plans here (sidetracked with
other bugs at the moment, watch this space).


More information about the samba-technical mailing list