The meaning of a DENY ACE for BUILTIN\Administrators against WRITE_DAC | READ_CONTROL

Richard Sharpe realrichardsharpe at
Tue Mar 6 12:39:52 MST 2012

2012/3/6 Stefan (metze) Metzmacher <metze at>:
> Hi Richard,
>> 2012/3/4 Richard Sharpe <realrichardsharpe at>:
>>> On Sun, Mar 4, 2012 at 6:25 PM, Jeremy Allison <jra at> wrote:
>>>> On Sun, Mar 04, 2012 at 04:38:38PM -0800, Richard Sharpe wrote:
>>>>> 2012/3/4 Richard Sharpe <realrichardsharpe at>:
>>>>>> Hi,
>>>>>> What would it mean if there was a deny ACE in an ACL on a file that
>>>>>> denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
>>>>> Hmmm, what I really meant was DENY WRITE OWNER ...
>>>>>> That is, what does Windows do?
>>>>>> The next question is: Is the code that handles DENY entries in
>>>>>> se_access_check in the Samba master branch correct? It does:
>>>>>>        bits_remaining |= explicitly_denied_bits;
>>>>>> done:
>>>>>>        if (bits_remaining != 0) {
>>>>>>                *access_granted = bits_remaining;
>>>>>>                return NT_STATUS_ACCESS_DENIED;
>>>>>>        }
>>>>>> This code would seem to override privileges, and I am not sure that
>>>>>> that is the intent, especially given that Microsoft introduced Owner
>>>>>> Rights in Server 2008.
>>>> Let's test it against Windows before we change any Samba code...
>>> I agree with that, that is for sure. I am just raising the issue at
>>> this stage. Will test some time this week.
>> OK, I have tested this with Windows 2003.
>> I created a user, user1, and then created a file and on that file I
>> removed all inherited permissions, then added a Deny Entry for
>> DOM\Administrator denying WRITE_OWNER. I also took ownership of the
>> file as user1.
>> Then I logged out and logged back in as DOM\Administrator. I then
>> brought up the properties on that file, and selected the Security tab.
>> It told me that I did not have permissions to view the permissions
>> info, but that I could take ownership if I wanted. So, I went to
>> Advanced, took ownership, and saved, and it was all OK.
> What we really need are torture tests, which demonstrate this in an easy
> way, so that we don't get regressions, once we've fixed our bugs.

Yes, I agree. However, the smbtorture stuff is a bit daunting to work with.

Is the Python infrastructure for testing easier to deal with? Where
can I read about it?

Richard Sharpe

More information about the samba-technical mailing list