[PATCH] Fix se_access_check() to correctly processes owner rights (S-1-3-4) DENY ace entries.
Ralph Böhme
slow at samba.org
Fri Dec 9 17:19:22 UTC 2016
On Fri, Dec 09, 2016 at 09:09:47AM -0800, Jeremy Allison wrote:
> On Fri, Dec 09, 2016 at 11:54:35AM +0100, Ralph Böhme wrote:
> > > I think I found that this doesn't cover all cases, as it doesn't take
> > > into account rights that where allowed in a previous ACE (given a
> > > non-canonical ACL).
> > >
> > > Not sure if this is a valid ACL, but with this one your patch will get
> > > an access denied when read+write data would be requested:
> > >
> > > [0] SID: User SID 1-5-21-something
> > > TYPE: ALLOW
> > > MASK: READ_DATA
> > >
> > > [1] SID: S-1-3-4
> > > TYPE: DENY
> > > MASK: READ_DATA
> > >
> > > [0] SID: User SID 1-5-21-something
> > > TYPE: ALLOW
> > > MASK: WRITE_DATA
> > >
> > > I'll post an alternative patch that should cover all cases later on.
> >
> > attached.
>
> Really nice work Ralph, thanks ! I really appreciate you catching
> and testing the additional corner case.
>
> Pushing.
>
> This kind of thing is what makes Samba so great ! :-) :-).
I was initially just wondering what was that "owner-right" thingy and wanted to
refresh my memory. :)
Cheerio!
-slow
More information about the samba-technical
mailing list