[PATCH] Bug in dealing with "Owner Rights" ACEs when calculating maximum access

Jeremy Allison jra at samba.org
Thu Feb 28 19:48:26 UTC 2019

On Thu, Feb 28, 2019 at 06:49:51PM +0100, Ralph Böhme via samba-technical wrote:
> Hi!
> Just came across this one:
> https://bugzilla.samba.org/show_bug.cgi?id=13812
> When an SMB2 client queries maximum permission on a file or directory that
> has an explicit "Owner Rights" ACE, hell breaks loose. The bugreport has all
> the nasty details.
> A customer ran across this with macOS clients, as in vfs_fruit I'm also
> calling se_access_check() with SEC_FLAG_MAXIMUM_ALLOWED.
> Please review & push if happy. Thanks!

Mostly looks great, and already got pushed :-).

But I would like clarification on this bit please :

                if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) {
                        if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
                                owner_rights_allowed |= ace->access_mask;
                                owner_rights_default = false;
                        } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
                                owner_rights_denied |= (owner_rights_allowed &

                                SEE BELOW(*)

                                owner_rights_default = false;

That adds to owner_rights_denied only the access bits
that have already been set in owner_rights_allowed, masked
(ANDed) with the access mask in the deny ACE.

Can you explain where that bit of the algorithm came from ?

My naive reading of this says it should be:

owner_rights_denied |= ace->access_mask

Is there a MS-DTYP reference for this that I'm missing ?

Sorry if I'm being dumb :-).


More information about the samba-technical mailing list