[PATCH] Follow-up patch for bug in dealing with "Owner Rights" ACEs when calculating maximum access
Jeremy Allison
jra at samba.org
Fri Mar 1 21:00:07 UTC 2019
On Fri, Mar 01, 2019 at 10:38:10AM -0800, Jeremy Allison via samba-technical wrote:
> On Fri, Mar 01, 2019 at 07:17:35PM +0100, Ralph Böhme wrote:
> > On Fri, Mar 01, 2019 at 06:42:05PM +0100, Ralph Böhme wrote:
> > > On Fri, Mar 01, 2019 at 05:59:20PM +0100, Ralph Böhme wrote:
> > > > On Fri, Mar 01, 2019 at 08:42:19AM -0800, Jeremy Allison wrote:
> > > > > I'll take a look, but if you've allowed these new tests
> > > > > to pass whilst simplifying the algorithm I'm all in favour :-).
> > > >
> > > > yeah, but it's a really subtle change with security implications.
> > > >
> > > > I still have to do a larger rewrite, so I think you can ignore the
> > > > patches for now. I'll update here once I have something in shape for
> > > > curious eyes. :)
> > >
> > > ok, this ones looks much better. WIP patchset attached.
> >
> > yeah, this seems to be going in the right direction. We can split the main
> > patch with the fix into two individual patches, fixing the OWNER-RIGHTS-DENY
> > and OWNER-RIGHTS-DENY1 tests individually, better demonstrating the problem.
> >
> > And then I'd say OWNER-RIGHTS-DENY1 is a different bug.
>
> One quick comment. Are we testing the case where the
> ACL has multiple owner-rights ACE entries, some allow,
> some deny ?
>
> Not sure how Windows handles that.
Never mind, I just did a quick mod of the DENY1 case
to check that, and both Windows and your new access_check_max_allowed()
version do the same thing.
Great work !
More information about the samba-technical
mailing list