Windows seems to allow a file to be created with DELETE/DELETE_ON_CLOSE when the requester does not have DELETE_CHILD in the directory where the create is occurring

[Richard Sharpe]

On Fri, Mar 29, 2013 at 6:33 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
>
> Hi folks,
>
> The following simple diff suggests to me that when a client does a CREATE_FILE requesting
> DELETE_ON_CLOSE (and DELETE) but does not have DELETE_CHILD access in the directory they
> are creating the file in, Windows allows the create, while Samba denies it:
>
> --- a/source4/torture/smb2/create.c
> +++ b/source4/torture/smb2/create.c
> @@ -139,6 +139,24 @@ static bool test_create_gentest(struct torture_context *tctx, struct smb2_tree *
>         union smb_fileinfo q;
>
>         ZERO_STRUCT(io);
> +       io.in.desired_access     = 0x130196;
> +       io.in.file_attributes    = 0;
> +       io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
> +       io.in.share_access       = NTCREATEX_SHARE_ACCESS_DELETE;
> +       io.in.create_options     = 0x401060;
> +       io.in.fname              = FNAME;
> +
> +       status = smb2_create(tree, tctx, &io);
> +       CHECK_STATUS(status, NT_STATUS_OK);
> +
> +       status = smb2_util_close(tree, io.out.file.handle);
> +
> +       printf("Press enter to continue:");
> +       getchar();
> +
> +       smb2_deltree(tree, FNAME);
> +
> +       ZERO_STRUCT(io);
>         io.in.desired_access     = SEC_FLAG_MAXIMUM_ALLOWED;
>         io.in.file_attributes    = FILE_ATTRIBUTE_NORMAL;
>         io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
>
> Here are the permissions on the W2K08 system for the share:
>
> xxx# smbcacls //192.168.56.50/c / -Unimbus-10/administrator%c9td0g\!\! --numeric
> REVISION:1
> CONTROL:0x9004
> OWNER:S-1-5-32-544
> GROUP:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
> ACL:S-1-3-0:0/0xb/0x10000000
> ACL:S-1-5-18:0/0x3/0x001f01ff
> ACL:S-1-5-32-544:0/0x3/0x001f01ff
> ACL:S-1-5-32-545:0/0x3/0x001301bf
>
> Here is user I was testing with:
>
> xxx# wbinfo -n test1
> S-1-5-21-1974519673-996841176-3241138571-1114 SID_USER (1)
> xxx# wbinfo --user-domgroups=S-1-5-21-1974519673-996841176-3241138571-1114
> S-1-5-21-1974519673-996841176-3241138571-513
>
> I will confirm on Monday against Samba 3.6.12, however, I have a capture from a customer and
> a log file that suggests Samba is denying the request to open the file because DELETE_CHILD is not available.

It occurred to me over the weekend that what could be happening is
that in the create case, ACL inheritance is performed before
DELETE_ON_CLOSE testing is performed, so I did some further testing
where the requesting user does not get DELETE via ACL inheritance.

Even if I remove DELETE from all ACEs that are inherited and then run
my test program but stop it before it closes the file, the file is
successfully created and then deleted when closed.

This seems to prove conclusively that Windows does not require
DELETE_CHILD in the directory you are creating a file when you request
DELETE access and DELETE_ON_CLOSE with CREATE_ALWAYS or CREATE.

At least W2K08 behaves this way.


--
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)