Backup privileges for reading files
realrichardsharpe at gmail.com
Thu Jun 25 10:39:20 MDT 2015
On Thu, Jun 25, 2015 at 8:42 AM, Shilpa K <shilpa.krishnareddy at gmail.com> wrote:
> Thanks Richard. Yes, backup intent flag is set:
> .... .... .... .... .1.. .... .... .... = Backup Intent: This is
> a create with BACKUP INTENT
> Will it be a right solution if we set priv_open_requested flag to true when
> calling se_file_access_check() when backup intent flag is set in create
I am not sure. I forget the 3.6.X code these days. I would try that
and see if you are working with the 3.6.x code base.
> On Thu, Jun 25, 2015 at 7:39 PM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> On Thu, Jun 25, 2015 at 6:16 AM, Shilpa K <shilpa.krishnareddy at gmail.com>
>> > Hello,
>> > A backup application is trying to read files/directories as part of
>> > backup.
>> > This is being done in the context of a user who is a member of
>> > BUILTIN\backup operators group in Samba. Application is
>> > requesting FILE_READ_DATA access and as the user has no explicit read
>> > access for the directory/file, it is failing with access denied. I see
>> > that
>> > only share security check is bypassed for a member of backup operators
>> > group while read access is required for reading files even if the user
>> > is a
>> > member of backup operators group. Can you please let me know if this is
>> > by
>> > design?
>> Did they signal backup intent? I seem to recall that you need this bit
>> in the CREATE as well.
>> #define FILE_OPEN_FOR_BACKUP_INTENT 0x4000
>> Richard Sharpe
More information about the samba-technical