[Samba] Security leak in map_nt_perms?

Jeremy Allison jra at samba.org
Fri Aug 15 19:39:16 GMT 2008 

On Fri, Aug 15, 2008 at 08:07:58PM +0200, Abramo Bagnara wrote:
> Jeremy Allison ha scritto:
> > On Fri, Aug 15, 2008 at 11:52:17AM +0200, Abramo Bagnara wrote:
> >> Sorry to show me dense, but I don't see the problem: the request to
> >> allow FILE_READ_ATTRIBUTES only would generate a 000 perms just as if
> >> map_nt_perms was called with only permissions not handled there.
> >>
> >> I'd say that to ask to allow FILE_READ_ATTRIBUTES only don't have to
> >> generate any ACE at all (as this request under an Unix permission model
> >> point of view don't give to user/group any further right).
> >>
> >> Could you explain how a possible conflict with a requested DENY ACE
> >> could happens?
> > 
> > Existing file has FILE_READ_DATA|FILE_WRITE_DATA|FILE_READ_ATTRIBUTES.
> > Acl comes in to change this to FILE_READ_ATTRIBUTES. Samba has to map
> > this to '---' according to you. Oops. Instant deny ACL. Not what was
> > intended.
> 
> I try to detail your example as it seems there is some misunderstanding:
> 
> NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES FILE_WRITE_DATA
> Current samba perms for owner, group or others: rw-
> Current samba posix acl: user:abramo:rw-
> Current new NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES
> FILE_READ_EA FILE_GENERIC_READ FILE_WRITE_DATA FILE_APPEND_DATA
> FILE_WRITE_ATTRIBUTES FILE_WRITE_EA FILE_GENERIC_WRITE
> Proposed is the same as current
> 
> NT ACL: Allow SID FILE_READ_ATTRIBUTES
> Current samba perms for owner, group or others: r--
> Current samba posix acl: user:abramo:r--
> Current new NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES
> FILE_READ_EA FILE_GENERIC_READ
> Proposed samba perms for owner, group or others: ---
> Proposed samba posix acl: entry is removed
> Proposed new NT ACL for owner, group or others: Allow SID EMPTY
> Proposed new NT ACL: ACE is removed
> 
> Simply I'm suggesting that this case is treated as it was a request to
> have an empty list of accesses for that SID.

Now re-read the ACL on Windows. The '---' will be seen as a DENY
ACE. That's the problem. POSIX has no deny ACLs so we have to overload
no permissions in order to get the essential deny capability.

Jeremy.

More information about the samba mailing list