Windows 2008 and the handling of Owner Rights permissions

[Richard Sharpe]

2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
> Hi,
>
> Here http://technet.microsoft.com/en-us/library/dd125370%28v=WS.10%29.aspx
> it suggests that if an ACL on an object contains the Owner Rights
> principal (S-1-3-4) and the permissions do not contain WRITE_DAC and
> READ_CONTROL then the current handling of se_access_check
> (libcli/security/access_check.c) is incorrect.
>
> The solution seems simple. Defer the check for SEC_STD_WRITE_DAC and
> SEC_STD_READ_CONTROL until after we have scanned the ACL and save the
> permissions associated with S-1-3-4 in a variable that starts out as
> ~0 and is used with SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL to
> determine the default permissions that should apply and therefore
> those bits that should be removed ...
>
> Thoughts? I guess I need to fire up a Windows Server 2008 VM to see if
> this applies to file objects, but I suspect it does.

What I don't know is whether or not a DENY entry for Owner Rights is
allowed or has the obvious meaning.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)