Backup privileges for reading files

Shilpa K shilpa.krishnareddy at gmail.com
Thu Jun 25 09:42:07 MDT 2015


Thanks Richard. Yes, backup intent flag is set:

            .... .... .... .... .1.. .... .... .... = Backup Intent: This
is a create with BACKUP INTENT


Will it be a right solution if we set priv_open_requested flag to true when
calling se_file_access_check() when backup intent flag is set in create
options?

Thanks,
Shilpa


On Thu, Jun 25, 2015 at 7:39 PM, Richard Sharpe <realrichardsharpe at gmail.com
> wrote:

> On Thu, Jun 25, 2015 at 6:16 AM, Shilpa K <shilpa.krishnareddy at gmail.com>
> wrote:
> > Hello,
> >
> > A backup application is trying to read files/directories as part of
> backup.
> > This is being done in the context of a user who is a member of
> > BUILTIN\backup operators group in Samba. Application is
> > requesting FILE_READ_DATA access and as the user has no explicit read
> > access for the directory/file, it is failing with access denied. I see
> that
> > only share security check is bypassed for a member of backup operators
> > group while read access is required for reading files even if the user
> is a
> > member of backup operators group. Can you please let me know if this is
> by
> > design?
>
> Did they signal backup intent? I seem to recall that you need this bit
> in the CREATE as well.
>
> #define FILE_OPEN_FOR_BACKUP_INTENT    0x4000
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>


More information about the samba-technical mailing list