Does any MS document clarify the behavior when a parent allows DELETE CHILD on an object but the object has a DENY DELETE
Richard Sharpe
realrichardsharpe at gmail.com
Wed Jun 15 21:35:28 UTC 2016
On Wed, Jun 15, 2016 at 1:58 PM, Jeremy Allison <jra at samba.org> wrote:
> On Wed, Jun 15, 2016 at 12:17:08PM -0700, Richard Sharpe wrote:
>> On Wed, Jun 15, 2016 at 12:02 PM, Uri Simchoni <uri at samba.org> wrote:
>> > On 06/15/2016 09:29 PM, Richard Sharpe wrote:
>> >> Hi folks,
>> >>
>> >> A quick look at MS-DTYP does not clarify this question for me.
>> >>
>> >> What is the actual behavior when you have a directory, D, with an
>> >> object O in it, and the DACL on D allows DETELE_CHILD for user U but O
>> >> has a DENY DELETE ACE for user U in its DACL?
>> >>
>> > MS-FSA 2.1.5.1.2.1 details this. My interpretation (haven't tested
>> > against a Windows machine) is that delete is granted if either the
>> > file's DACL grants DELETE or the parent grants DELETE_CHILD (by "grants"
>> > I mean "allows and not denies"), i.e. that it will be allowed.
>>
>> Thanks. I guess I should have looked at MS-FSA.
>>
>> This appears to be the sentence:
>>
>> If (Open.RemainingDesiredAccess.MAXIMUM_ALLOWED ||
>> Open.RemainingDesiredAccess.DELETE), the object store MUST set
>> Open.GrantedAccess.DELETE if AccessCheck(SecurityContext,
>> Open.Link.ParentFile.SecurityDescriptor, FILE_DELETE_CHILD) returns
>> TRUE.
>
> Yes, DELETE_CHILD can override a DENY DELETE ACE.
This is my shocked face!
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list