Windows seems to allow a file to be created with DELETE/DELETE_ON_CLOSE when the requester does not have DELETE_CHILD in the directory where the create is occurring

Richard Sharpe realrichardsharpe at gmail.com
Fri Mar 29 19:33:42 MDT 2013 

Hi folks,

The following simple diff suggests to me that when a client does a
CREATE_FILE requesting DELETE_ON_CLOSE (and DELETE) but does not have
DELETE_CHILD access in the directory they are creating the file in, Windows
allows the create, while Samba denies it:

--- a/source4/torture/smb2/create.c
+++ b/source4/torture/smb2/create.c
@@ -139,6 +139,24 @@ static bool test_create_gentest(struct torture_context
*tctx, struct smb2_tree *
        union smb_fileinfo q;

        ZERO_STRUCT(io);
+       io.in.desired_access     = 0x130196;
+       io.in.file_attributes    = 0;
+       io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
+       io.in.share_access       = NTCREATEX_SHARE_ACCESS_DELETE;
+       io.in.create_options     = 0x401060;
+       io.in.fname              = FNAME;
+
+       status = smb2_create(tree, tctx, &io);
+       CHECK_STATUS(status, NT_STATUS_OK);
+
+       status = smb2_util_close(tree, io.out.file.handle);
+
+       printf("Press enter to continue:");
+       getchar();
+
+       smb2_deltree(tree, FNAME);
+
+       ZERO_STRUCT(io);
        io.in.desired_access     = SEC_FLAG_MAXIMUM_ALLOWED;
        io.in.file_attributes    = FILE_ATTRIBUTE_NORMAL;
        io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;

Here are the permissions on the W2K08 system for the share:

xxx# smbcacls //192.168.56.50/c / -Unimbus-10/administrator%c9td0g\!\!
--numeric
REVISION:1
CONTROL:0x9004
OWNER:S-1-5-32-544
GROUP:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
ACL:S-1-3-0:0/0xb/0x10000000
ACL:S-1-5-18:0/0x3/0x001f01ff
ACL:S-1-5-32-544:0/0x3/0x001f01ff
ACL:S-1-5-32-545:0/0x3/0x001301bf

Here is user I was testing with:

xxx# wbinfo -n test1
S-1-5-21-1974519673-996841176-3241138571-1114 SID_USER (1)
xxx# wbinfo --user-domgroups=S-1-5-21-1974519673-996841176-3241138571-1114
S-1-5-21-1974519673-996841176-3241138571-513

I will confirm on Monday against Samba 3.6.12, however, I have a capture
from a customer and a log file that suggests Samba is denying the request
to open the file because DELETE_CHILD is not available.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list