[PATCH] Follow-up patch for bug in dealing with "Owner Rights" ACEs when calculating maximum access
slow at samba.org
Fri Mar 1 15:16:03 UTC 2019
On Fri, Mar 01, 2019 at 01:10:14PM +0100, Ralph Böhme via samba-technical wrote:
>> Am 01.03.2019 um 13:02 schrieb David Disseldorp via samba-technical <samba-technical at lists.samba.org>:
>> On Thu, 28 Feb 2019 15:42:44 -0800, Jeremy Allison via samba-technical wrote:
>>>> Wouldn't this now mean that an owner_rights_allowed ACE now takes
>>>> precedence over an owner_rights_denied ACE if the former comes first?
>>>> I'll need to take a closer look at the spec tomorrow for this.
>>> Yes, that's exactly the case. That's what the test shows.
>> The reason why I'm struggling to get my head around this is that the
>> behaviour is inconsistent with how regular ACEs are handled - we
>> just do a simple (granted & ~denied), instead of giving special
>> precendence to allow ACEs.
>fyi, I'm currently looking into this.
>It seems our algo is completely screwed, I'M working on algining the functions with MS-DTYP 126.96.36.199, but that is a *big* can of worms.
>I can push what I have in a few minutes if you'd like to take a look...
Top commit is the main change:
Also lets Jeremy's OWNER-RIGHTS-DENY1 pass.
Passes make test TESTS=smb2.acls
The sec_access_check_ds() function is still missing the new correct
implementation of max access calculations.
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
More information about the samba-technical