SEC_PRIV_TAKE_OWNERSHIP not respected in se_access_check in Samba 3.6 (v3-6-test)

Sun Feb 19 20:36:02 MST 2012

2012/2/19 Richard Sharpe <realrichardsharpe at gmail.com>:
> Hi,
>
> In libcli/security/access_check.c::se_access_check it seems that there
> should be a section like this:
>
>        if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
>            security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
>                bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
>        }
>
> +        if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
> +           security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
> +                bits_remaining &= ~(SEC_STD_WRITE_OWNER);
> +       }
> +
>        /* a NULL dacl allows access */
>        if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
>                *access_granted = access_desired;
>                return NT_STATUS_OK;
>        }
>
> Otherwise, how does a user who has the take ownership privilege do so?

Here is the patch I have generated against master (I will create a bug
in bugzilla):

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 1b02a86..a9b618f 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -205,6 +205,11 @@ NTSTATUS se_access_check(const struct security_descriptor *
                bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
        }

+       if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
+            security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+               bits_remaining &= ~(SEC_STD_WRITE_OWNER);
+       }
+
        /* a NULL dacl allows access */
        if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
                *access_granted = access_desired;


-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
