The meaning of a DENY ACE for BUILTIN\Administrators against WRITE_DAC | READ_CONTROL

Sun Mar 4 19:25:14 MST 2012

On Sun, Mar 04, 2012 at 04:38:38PM -0800, Richard Sharpe wrote:
> 2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
> > Hi,
> >
> > What would it mean if there was a deny ACE in an ACL on a file that
> > denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
> 
> Hmmm, what I really meant was DENY WRITE OWNER ...
> 
> > That is, what does Windows do?
> >
> > The next question is: Is the code that handles DENY entries in
> > se_access_check in the Samba master branch correct? It does:
> >
> >        bits_remaining |= explicitly_denied_bits;
> >
> > done:
> >        if (bits_remaining != 0) {
> >                *access_granted = bits_remaining;
> >                return NT_STATUS_ACCESS_DENIED;
> >        }
> >
> > This code would seem to override privileges, and I am not sure that
> > that is the intent, especially given that Microsoft introduced Owner
> > Rights in Server 2008.

Let's test it against Windows before we change any Samba code...

Jeremy.