The meaning of a DENY ACE for BUILTIN\Administrators against WRITE_DAC | READ_CONTROL
Richard Sharpe
realrichardsharpe at gmail.com
Sun Mar 4 19:27:46 MST 2012
On Sun, Mar 4, 2012 at 6:25 PM, Jeremy Allison <jra at samba.org> wrote:
> On Sun, Mar 04, 2012 at 04:38:38PM -0800, Richard Sharpe wrote:
>> 2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
>> > Hi,
>> >
>> > What would it mean if there was a deny ACE in an ACL on a file that
>> > denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
>>
>> Hmmm, what I really meant was DENY WRITE OWNER ...
>>
>> > That is, what does Windows do?
>> >
>> > The next question is: Is the code that handles DENY entries in
>> > se_access_check in the Samba master branch correct? It does:
>> >
>> > bits_remaining |= explicitly_denied_bits;
>> >
>> > done:
>> > if (bits_remaining != 0) {
>> > *access_granted = bits_remaining;
>> > return NT_STATUS_ACCESS_DENIED;
>> > }
>> >
>> > This code would seem to override privileges, and I am not sure that
>> > that is the intent, especially given that Microsoft introduced Owner
>> > Rights in Server 2008.
>
> Let's test it against Windows before we change any Samba code...
I agree with that, that is for sure. I am just raising the issue at
this stage. Will test some time this week.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list