Windows seems to allow a file to be created with DELETE/DELETE_ON_CLOSE when the requester does not have DELETE_CHILD in the directory where the create is occurring
Richard Sharpe
realrichardsharpe at gmail.com
Fri Mar 29 19:33:42 MDT 2013
Hi folks,
The following simple diff suggests to me that when a client does a
CREATE_FILE requesting DELETE_ON_CLOSE (and DELETE) but does not have
DELETE_CHILD access in the directory they are creating the file in, Windows
allows the create, while Samba denies it:
--- a/source4/torture/smb2/create.c
+++ b/source4/torture/smb2/create.c
@@ -139,6 +139,24 @@ static bool test_create_gentest(struct torture_context
*tctx, struct smb2_tree *
union smb_fileinfo q;
ZERO_STRUCT(io);
+ io.in.desired_access = 0x130196;
+ io.in.file_attributes = 0;
+ io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
+ io.in.share_access = NTCREATEX_SHARE_ACCESS_DELETE;
+ io.in.create_options = 0x401060;
+ io.in.fname = FNAME;
+
+ status = smb2_create(tree, tctx, &io);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ status = smb2_util_close(tree, io.out.file.handle);
+
+ printf("Press enter to continue:");
+ getchar();
+
+ smb2_deltree(tree, FNAME);
+
+ ZERO_STRUCT(io);
io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED;
io.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
Here are the permissions on the W2K08 system for the share:
xxx# smbcacls //192.168.56.50/c / -Unimbus-10/administrator%c9td0g\!\!
--numeric
REVISION:1
CONTROL:0x9004
OWNER:S-1-5-32-544
GROUP:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
ACL:S-1-3-0:0/0xb/0x10000000
ACL:S-1-5-18:0/0x3/0x001f01ff
ACL:S-1-5-32-544:0/0x3/0x001f01ff
ACL:S-1-5-32-545:0/0x3/0x001301bf
Here is user I was testing with:
xxx# wbinfo -n test1
S-1-5-21-1974519673-996841176-3241138571-1114 SID_USER (1)
xxx# wbinfo --user-domgroups=S-1-5-21-1974519673-996841176-3241138571-1114
S-1-5-21-1974519673-996841176-3241138571-513
I will confirm on Monday against Samba 3.6.12, however, I have a capture
from a customer and a log file that suggests Samba is denying the request
to open the file because DELETE_CHILD is not available.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list