[PATCH] Follow "SeChangeNotifyPrivilege" for notifies
Jeremy Allison
jra at samba.org
Mon Nov 19 18:00:29 UTC 2018
On Mon, Nov 19, 2018 at 03:13:56PM +0100, Volker Lendecke via samba-technical wrote:
> Hi!
>
> The attached patch limits notify replies for smbd according to
> (according to my tests) what Windows does: If SeChangeNotifyPrivilege
> is not granted, the caller only sees notifies for things it would have
> access to.
>
> Two caveats:
>
> This is a change in default behaviour, because unlike Windows Samba
> does not grant SeChangeNotifyPrivilege for everyone by default. I
> think this is okay, everything else would cause upgrade nightmares.
>
> It's not easy to test. In the normal "make test" environments, taking
> away rights for yourself yet still being able to trigger things as the
> same user is not possible. At least I did not find a way. Also, if we
> use Unix permissions, the posix_acls.c code always grants RWX to a
> directory owner, regardless of what the incoming setacl call said. I
> spent more than a day now on streamlining the code (see the cli_notify
> improvement I just sent), but every time I tried something new I hit
> another blocker. So this is a patch without a test. Manually it's not
> hard to test, but in "make test" I am out of ideas.
>
> Comments?
Hideous but possible way to test :-). Test vfs_module
that removes EXECUTE access for a filename that matches
a specific test pathname (stored as a customer parameter
in the share definition created in Samba3.pm) ?
Might be done as a nasty custom parameter inside
vfs_fake_acls.c as I think that's a module that is
only ever used for tests, not in a real environment.
What do you think ?
Jeremy.
More information about the samba-technical
mailing list