The meaning of a DENY ACE for BUILTIN\Administrators against WRITE_DAC | READ_CONTROL

Stefan (metze) Metzmacher metze at samba.org
Tue Mar 6 12:34:52 MST 2012


Hi Richard,

> 2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
>> On Sun, Mar 4, 2012 at 6:25 PM, Jeremy Allison <jra at samba.org> wrote:
>>> On Sun, Mar 04, 2012 at 04:38:38PM -0800, Richard Sharpe wrote:
>>>> 2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
>>>>> Hi,
>>>>>
>>>>> What would it mean if there was a deny ACE in an ACL on a file that
>>>>> denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
>>>>
>>>> Hmmm, what I really meant was DENY WRITE OWNER ...
>>>>
>>>>> That is, what does Windows do?
>>>>>
>>>>> The next question is: Is the code that handles DENY entries in
>>>>> se_access_check in the Samba master branch correct? It does:
>>>>>
>>>>>        bits_remaining |= explicitly_denied_bits;
>>>>>
>>>>> done:
>>>>>        if (bits_remaining != 0) {
>>>>>                *access_granted = bits_remaining;
>>>>>                return NT_STATUS_ACCESS_DENIED;
>>>>>        }
>>>>>
>>>>> This code would seem to override privileges, and I am not sure that
>>>>> that is the intent, especially given that Microsoft introduced Owner
>>>>> Rights in Server 2008.
>>>
>>> Let's test it against Windows before we change any Samba code...
>>
>> I agree with that, that is for sure. I am just raising the issue at
>> this stage. Will test some time this week.
> 
> OK, I have tested this with Windows 2003.
> 
> I created a user, user1, and then created a file and on that file I
> removed all inherited permissions, then added a Deny Entry for
> DOM\Administrator denying WRITE_OWNER. I also took ownership of the
> file as user1.
> 
> Then I logged out and logged back in as DOM\Administrator. I then
> brought up the properties on that file, and selected the Security tab.
> It told me that I did not have permissions to view the permissions
> info, but that I could take ownership if I wanted. So, I went to
> Advanced, took ownership, and saved, and it was all OK.

What we really need are torture tests, which demonstrate this in an easy
way,
so that we don't get regressions, once we've fixed our bugs.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120306/ce2fef7c/attachment.pgp>


More information about the samba-technical mailing list