The meaning of a DENY ACE for BUILTIN\Administrators against WRITE_DAC | READ_CONTROL
Richard Sharpe
realrichardsharpe at gmail.com
Sun Mar 4 17:30:50 MST 2012
Hi,
What would it mean if there was a deny ACE in an ACL on a file that
denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
That is, what does Windows do?
The next question is: Is the code that handles DENY entries in
se_access_check in the Samba master branch correct? It does:
bits_remaining |= explicitly_denied_bits;
done:
if (bits_remaining != 0) {
*access_granted = bits_remaining;
return NT_STATUS_ACCESS_DENIED;
}
This code would seem to override privileges, and I am not sure that
that is the intent, especially given that Microsoft introduced Owner
Rights in Server 2008.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list