The meaning of a DENY ACE for BUILTIN\Administrators against WRITE_DAC | READ_CONTROL

Jeremy Allison jra at samba.org
Tue Mar 6 16:04:26 MST 2012


On Tue, Mar 06, 2012 at 11:30:15AM -0800, Richard Sharpe wrote:
> 2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
> > On Sun, Mar 4, 2012 at 6:25 PM, Jeremy Allison <jra at samba.org> wrote:
> >> On Sun, Mar 04, 2012 at 04:38:38PM -0800, Richard Sharpe wrote:
> >>> 2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
> >>> > Hi,
> >>> >
> >>> > What would it mean if there was a deny ACE in an ACL on a file that
> >>> > denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
> >>>
> >>> Hmmm, what I really meant was DENY WRITE OWNER ...
> >>>
> >>> > That is, what does Windows do?
> >>> >
> >>> > The next question is: Is the code that handles DENY entries in
> >>> > se_access_check in the Samba master branch correct? It does:
> >>> >
> >>> >        bits_remaining |= explicitly_denied_bits;
> >>> >
> >>> > done:
> >>> >        if (bits_remaining != 0) {
> >>> >                *access_granted = bits_remaining;
> >>> >                return NT_STATUS_ACCESS_DENIED;
> >>> >        }
> >>> >
> >>> > This code would seem to override privileges, and I am not sure that
> >>> > that is the intent, especially given that Microsoft introduced Owner
> >>> > Rights in Server 2008.
> >>
> >> Let's test it against Windows before we change any Samba code...
> >
> > I agree with that, that is for sure. I am just raising the issue at
> > this stage. Will test some time this week.
> 
> OK, I have tested this with Windows 2003.
> 
> I created a user, user1, and then created a file and on that file I
> removed all inherited permissions, then added a Deny Entry for
> DOM\Administrator denying WRITE_OWNER. I also took ownership of the
> file as user1.
> 
> Then I logged out and logged back in as DOM\Administrator. I then
> brought up the properties on that file, and selected the Security tab.
> It told me that I did not have permissions to view the permissions
> info, but that I could take ownership if I wanted. So, I went to
> Advanced, took ownership, and saved, and it was all OK.
> 
> I believe that this demonstrates that SeTakeOwnershipPrivilege
> overrides explicit deny entries in any ACL on the file, and, as a
> result, Samba's current implementation of this is incorrect.
> 
> Please sir, can I create another bug now?

Please feel free :-).


More information about the samba-technical mailing list