Windows 2008 and the handling of Owner Rights permissions

Richard Sharpe realrichardsharpe at
Sun Mar 4 09:09:30 MST 2012


it suggests that if an ACL on an object contains the Owner Rights
principal (S-1-3-4) and the permissions do not contain WRITE_DAC and
READ_CONTROL then the current handling of se_access_check
(libcli/security/access_check.c) is incorrect.

The solution seems simple. Defer the check for SEC_STD_WRITE_DAC and
SEC_STD_READ_CONTROL until after we have scanned the ACL and save the
permissions associated with S-1-3-4 in a variable that starts out as
~0 and is used with SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL to
determine the default permissions that should apply and therefore
those bits that should be removed ...

Thoughts? I guess I need to fire up a Windows Server 2008 VM to see if
this applies to file objects, but I suspect it does.

Richard Sharpe

More information about the samba-technical mailing list