[Samba] Security leak in map_nt_perms?

Abramo Bagnara abramo.bagnara at gmail.com
Fri Aug 15 18:07:58 GMT 2008


Jeremy Allison ha scritto:
> On Fri, Aug 15, 2008 at 11:52:17AM +0200, Abramo Bagnara wrote:
>> Sorry to show me dense, but I don't see the problem: the request to
>> allow FILE_READ_ATTRIBUTES only would generate a 000 perms just as if
>> map_nt_perms was called with only permissions not handled there.
>>
>> I'd say that to ask to allow FILE_READ_ATTRIBUTES only don't have to
>> generate any ACE at all (as this request under an Unix permission model
>> point of view don't give to user/group any further right).
>>
>> Could you explain how a possible conflict with a requested DENY ACE
>> could happens?
> 
> Existing file has FILE_READ_DATA|FILE_WRITE_DATA|FILE_READ_ATTRIBUTES.
> Acl comes in to change this to FILE_READ_ATTRIBUTES. Samba has to map
> this to '---' according to you. Oops. Instant deny ACL. Not what was
> intended.

I try to detail your example as it seems there is some misunderstanding:

NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES FILE_WRITE_DATA
Current samba perms for owner, group or others: rw-
Current samba posix acl: user:abramo:rw-
Current new NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES
FILE_READ_EA FILE_GENERIC_READ FILE_WRITE_DATA FILE_APPEND_DATA
FILE_WRITE_ATTRIBUTES FILE_WRITE_EA FILE_GENERIC_WRITE
Proposed is the same as current

NT ACL: Allow SID FILE_READ_ATTRIBUTES
Current samba perms for owner, group or others: r--
Current samba posix acl: user:abramo:r--
Current new NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES
FILE_READ_EA FILE_GENERIC_READ
Proposed samba perms for owner, group or others: ---
Proposed samba posix acl: entry is removed
Proposed new NT ACL for owner, group or others: Allow SID EMPTY
Proposed new NT ACL: ACE is removed

Simply I'm suggesting that this case is treated as it was a request to
have an empty list of accesses for that SID.

IOW the FILE_READ_ATTRIBUTES FILE_READ_EA FILE_WRITE_ATTRIBUTES
FILE_WRITE_EA are masked out when received by samba server if they are
not available in underlying file system permission model. They really
follow the FILE_READ_DATA/FILE_WRITE_DATA.


More information about the samba mailing list