[PATCH] Follow-up patch for bug in dealing with "Owner Rights" ACEs when calculating maximum access

Jeremy Allison jra at samba.org
Fri Mar 1 16:42:19 UTC 2019


On Fri, Mar 01, 2019 at 04:16:03PM +0100, Ralph Böhme via samba-technical wrote:
> On Fri, Mar 01, 2019 at 01:10:14PM +0100, Ralph Böhme via samba-technical wrote:
> > > Am 01.03.2019 um 13:02 schrieb David Disseldorp via samba-technical <samba-technical at lists.samba.org>:
> > > 
> > > On Thu, 28 Feb 2019 15:42:44 -0800, Jeremy Allison via samba-technical wrote:
> > > 
> > > > > Wouldn't this now mean that an owner_rights_allowed ACE now takes
> > > > > precedence over an owner_rights_denied ACE if the former comes first?
> > > > > I'll need to take a closer look at the spec tomorrow for this.
> > > > 
> > > > Yes, that's exactly the case. That's what the test shows.
> > > 
> > > The reason why I'm struggling to get my head around this is that the
> > > behaviour is inconsistent with how regular ACEs are handled - we
> > > just do a simple (granted & ~denied), instead of giving special
> > > precendence to allow ACEs.
> > 
> > fyi, I'm currently looking into this.
> > 
> > It seems our algo is completely screwed, I'M working on algining the functions with MS-DTYP 2.5.3.2, but that is a *big* can of worms.
> > 
> > I can push what I have in a few minutes if you'd like to take a look...
> 
> branch: https://git.samba.org/?p=slow/samba.git;a=shortlog;h=refs/heads/mxac
> 
> Top commit is the main change:
> 
> https://git.samba.org/?p=slow/samba.git;a=commit;h=9a45b82ff1d90152885c9b46d9f42c08ac749fcc
> 
> Also lets Jeremy's OWNER-RIGHTS-DENY1 pass.

Woo hoo ! It must be right then :-).

> Passes make test TESTS=smb2.acls
> 
> CI: https://gitlab.com/samba-team/devel/samba/pipelines/49877228
> 
> The sec_access_check_ds() function is still missing the new correct
> implementation of max access calculations.

I'll take a look, but if you've allowed these new tests
to pass whilst simplifying the algorithm I'm all in favour :-).



More information about the samba-technical mailing list