Owner rights should override explicitly denied bits?

Fri Feb 22 13:21:49 MST 2013

Hi folks,

In Samba 3.6.12 and master we currently have the following ordering of checks:

        /* the owner always gets owner rights as defined above */
        if (security_token_has_sid(token, sd->owner_sid)) {
                if (owner_rights_default)
                        /*
                         * Just remove them, no need to check if they are
                         * there.
                         */
                        bits_remaining &= ~(SEC_STD_WRITE_DAC |
                                            SEC_STD_READ_CONTROL);

                else {
                        bits_remaining &= ~owner_rights_allowed;
                        bits_remaining |= (owner_rights_denied &
access_desired);
                }
        }

        /* Explicitly denied bits always override */
        bits_remaining |= (explicitly_denied_bits & access_desired);

However, tests on W2K08 suggest that this is the wrong order.

Tested by doing:

1. Administrator created a file: filex.txt
2. Administrator added a DENY entry to the ACL for the file with
Domain Users: Deny All
3. Then Administrator accessed the file remotely, but was still able
to access the file (at least the permissions). However, Administrator
was unable to open the file for reading. It got Access Denied.

This leads me to think that we should reverse the order of the above
two sections.

I will file a bug.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)