Backup privileges for reading files

Shilpa K shilpa.krishnareddy at gmail.com
Thu Jun 25 10:51:43 MDT 2015


3.6.X requires port of se_file_access_check() from 4.X series. In 4.2
itself, in the file open.c,  priv_open_requested flag is set to false due
to which backup privilege is not considered for create request. So, I
wanted to know if it is ok to set priv_open_requested flag to true in 4.x
code itself.

Thanks,
Shilpa

On Thu, Jun 25, 2015 at 10:09 PM, Richard Sharpe <
realrichardsharpe at gmail.com> wrote:

> On Thu, Jun 25, 2015 at 8:42 AM, Shilpa K <shilpa.krishnareddy at gmail.com>
> wrote:
> > Thanks Richard. Yes, backup intent flag is set:
> >
> >             .... .... .... .... .1.. .... .... .... = Backup Intent:
> This is
> > a create with BACKUP INTENT
> >
> >
> > Will it be a right solution if we set priv_open_requested flag to true
> when
> > calling se_file_access_check() when backup intent flag is set in create
> > options?
>
> I am not sure. I forget the 3.6.X code these days. I would try that
> and see if you are working with the 3.6.x code base.
>
> > Thanks,
> > Shilpa
> >
> >
> > On Thu, Jun 25, 2015 at 7:39 PM, Richard Sharpe
> > <realrichardsharpe at gmail.com> wrote:
> >>
> >> On Thu, Jun 25, 2015 at 6:16 AM, Shilpa K <
> shilpa.krishnareddy at gmail.com>
> >> wrote:
> >> > Hello,
> >> >
> >> > A backup application is trying to read files/directories as part of
> >> > backup.
> >> > This is being done in the context of a user who is a member of
> >> > BUILTIN\backup operators group in Samba. Application is
> >> > requesting FILE_READ_DATA access and as the user has no explicit read
> >> > access for the directory/file, it is failing with access denied. I see
> >> > that
> >> > only share security check is bypassed for a member of backup operators
> >> > group while read access is required for reading files even if the user
> >> > is a
> >> > member of backup operators group. Can you please let me know if this
> is
> >> > by
> >> > design?
> >>
> >> Did they signal backup intent? I seem to recall that you need this bit
> >> in the CREATE as well.
> >>
> >> #define FILE_OPEN_FOR_BACKUP_INTENT    0x4000
> >>
> >>
> >> --
> >> Regards,
> >> Richard Sharpe
> >> (何以解憂?唯有杜康。--曹操)
> >
> >
>
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>


More information about the samba-technical mailing list