Possibly incorrect handling of SeBackupPrivilege and SeRestorePrivilege
realrichardsharpe at gmail.com
Wed Feb 29 09:07:16 MST 2012
I believe that the actual Windows semantics around SeBackupPrivilege
and SeRestorePrivilege is that if the requester opens a file with the
BACKUP INTENT (FILE_OPEN_FOR_BACKUP_INTENT) flag in CreateOptions and
they have those privileges and they have the correct access mode
specified then they get to open the file if the ACL does not give them
In looking at se_access_check we do not take into account
FILE_OPEN_FOR_BACKUP_INTENT when checking those two privilege bits,
which is wrong, I believe.
The good news is that Samba works. The bad news is that Samba will
give access in cases where Windows would not.
More information about the samba-technical