[PATCH] Follow-up patch for bug in dealing with "Owner Rights" ACEs when calculating maximum access

Ralph Böhme slow at samba.org
Fri Mar 1 15:16:03 UTC 2019

On Fri, Mar 01, 2019 at 01:10:14PM +0100, Ralph Böhme via samba-technical wrote:
>> Am 01.03.2019 um 13:02 schrieb David Disseldorp via samba-technical <samba-technical at lists.samba.org>:
>> On Thu, 28 Feb 2019 15:42:44 -0800, Jeremy Allison via samba-technical wrote:
>>>> Wouldn't this now mean that an owner_rights_allowed ACE now takes
>>>> precedence over an owner_rights_denied ACE if the former comes first?
>>>> I'll need to take a closer look at the spec tomorrow for this.
>>> Yes, that's exactly the case. That's what the test shows.
>> The reason why I'm struggling to get my head around this is that the
>> behaviour is inconsistent with how regular ACEs are handled - we
>> just do a simple (granted & ~denied), instead of giving special
>> precendence to allow ACEs.
>fyi, I'm currently looking into this.
>It seems our algo is completely screwed, I'M working on algining the functions with MS-DTYP, but that is a *big* can of worms.
>I can push what I have in a few minutes if you'd like to take a look...

branch: https://git.samba.org/?p=slow/samba.git;a=shortlog;h=refs/heads/mxac

Top commit is the main change:


Also lets Jeremy's OWNER-RIGHTS-DENY1 pass.

Passes make test TESTS=smb2.acls

CI: https://gitlab.com/samba-team/devel/samba/pipelines/49877228

The sec_access_check_ds() function is still missing the new correct 
implementation of max access calculations.


Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

More information about the samba-technical mailing list