The meaning of a DENY ACE for BUILTIN\Administrators against WRITE_DAC | READ_CONTROL

Richard Sharpe realrichardsharpe at
Tue Mar 6 12:30:15 MST 2012

2012/3/4 Richard Sharpe <realrichardsharpe at>:
> On Sun, Mar 4, 2012 at 6:25 PM, Jeremy Allison <jra at> wrote:
>> On Sun, Mar 04, 2012 at 04:38:38PM -0800, Richard Sharpe wrote:
>>> 2012/3/4 Richard Sharpe <realrichardsharpe at>:
>>> > Hi,
>>> >
>>> > What would it mean if there was a deny ACE in an ACL on a file that
>>> > denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
>>> Hmmm, what I really meant was DENY WRITE OWNER ...
>>> > That is, what does Windows do?
>>> >
>>> > The next question is: Is the code that handles DENY entries in
>>> > se_access_check in the Samba master branch correct? It does:
>>> >
>>> >        bits_remaining |= explicitly_denied_bits;
>>> >
>>> > done:
>>> >        if (bits_remaining != 0) {
>>> >                *access_granted = bits_remaining;
>>> >                return NT_STATUS_ACCESS_DENIED;
>>> >        }
>>> >
>>> > This code would seem to override privileges, and I am not sure that
>>> > that is the intent, especially given that Microsoft introduced Owner
>>> > Rights in Server 2008.
>> Let's test it against Windows before we change any Samba code...
> I agree with that, that is for sure. I am just raising the issue at
> this stage. Will test some time this week.

OK, I have tested this with Windows 2003.

I created a user, user1, and then created a file and on that file I
removed all inherited permissions, then added a Deny Entry for
DOM\Administrator denying WRITE_OWNER. I also took ownership of the
file as user1.

Then I logged out and logged back in as DOM\Administrator. I then
brought up the properties on that file, and selected the Security tab.
It told me that I did not have permissions to view the permissions
info, but that I could take ownership if I wanted. So, I went to
Advanced, took ownership, and saved, and it was all OK.

I believe that this demonstrates that SeTakeOwnershipPrivilege
overrides explicit deny entries in any ACL on the file, and, as a
result, Samba's current implementation of this is incorrect.

Please sir, can I create another bug now?

Richard Sharpe

More information about the samba-technical mailing list