[PATCH] Follow-up patch for bug in dealing with "Owner Rights" ACEs when calculating maximum access
Ralph Böhme
slow at samba.org
Fri Mar 1 15:16:03 UTC 2019
On Fri, Mar 01, 2019 at 01:10:14PM +0100, Ralph Böhme via samba-technical wrote:
>> Am 01.03.2019 um 13:02 schrieb David Disseldorp via samba-technical <samba-technical at lists.samba.org>:
>>
>> On Thu, 28 Feb 2019 15:42:44 -0800, Jeremy Allison via samba-technical wrote:
>>
>>>> Wouldn't this now mean that an owner_rights_allowed ACE now takes
>>>> precedence over an owner_rights_denied ACE if the former comes first?
>>>> I'll need to take a closer look at the spec tomorrow for this.
>>>
>>> Yes, that's exactly the case. That's what the test shows.
>>
>> The reason why I'm struggling to get my head around this is that the
>> behaviour is inconsistent with how regular ACEs are handled - we
>> just do a simple (granted & ~denied), instead of giving special
>> precendence to allow ACEs.
>
>fyi, I'm currently looking into this.
>
>It seems our algo is completely screwed, I'M working on algining the functions with MS-DTYP 2.5.3.2, but that is a *big* can of worms.
>
>I can push what I have in a few minutes if you'd like to take a look...
branch: https://git.samba.org/?p=slow/samba.git;a=shortlog;h=refs/heads/mxac
Top commit is the main change:
https://git.samba.org/?p=slow/samba.git;a=commit;h=9a45b82ff1d90152885c9b46d9f42c08ac749fcc
Also lets Jeremy's OWNER-RIGHTS-DENY1 pass.
Passes make test TESTS=smb2.acls
CI: https://gitlab.com/samba-team/devel/samba/pipelines/49877228
The sec_access_check_ds() function is still missing the new correct
implementation of max access calculations.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
More information about the samba-technical
mailing list