[PATCH] Follow-up patch for bug in dealing with "Owner Rights" ACEs when calculating maximum access
jra at samba.org
Fri Mar 1 18:38:10 UTC 2019
On Fri, Mar 01, 2019 at 07:17:35PM +0100, Ralph Böhme wrote:
> On Fri, Mar 01, 2019 at 06:42:05PM +0100, Ralph Böhme wrote:
> > On Fri, Mar 01, 2019 at 05:59:20PM +0100, Ralph Böhme wrote:
> > > On Fri, Mar 01, 2019 at 08:42:19AM -0800, Jeremy Allison wrote:
> > > > I'll take a look, but if you've allowed these new tests
> > > > to pass whilst simplifying the algorithm I'm all in favour :-).
> > >
> > > yeah, but it's a really subtle change with security implications.
> > >
> > > I still have to do a larger rewrite, so I think you can ignore the
> > > patches for now. I'll update here once I have something in shape for
> > > curious eyes. :)
> > ok, this ones looks much better. WIP patchset attached.
> yeah, this seems to be going in the right direction. We can split the main
> patch with the fix into two individual patches, fixing the OWNER-RIGHTS-DENY
> and OWNER-RIGHTS-DENY1 tests individually, better demonstrating the problem.
> And then I'd say OWNER-RIGHTS-DENY1 is a different bug.
One quick comment. Are we testing the case where the
ACL has multiple owner-rights ACE entries, some allow,
some deny ?
Not sure how Windows handles that.
More information about the samba-technical