[Samba] Security leak in map_nt_perms?

Abramo Bagnara abramo.bagnara at gmail.com
Sat Aug 16 07:42:51 GMT 2008


Jeremy Allison ha scritto:
>>
>> NT ACL: Allow SID FILE_READ_ATTRIBUTES
>> Current samba perms for owner, group or others: r--
>> Current samba posix acl: user:abramo:r--
>> Current new NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES
>> FILE_READ_EA FILE_GENERIC_READ
>> Proposed samba perms for owner, group or others: ---
>> Proposed samba posix acl: entry is removed
>> Proposed new NT ACL for owner, group or others: Allow SID EMPTY
>> Proposed new NT ACL: ACE is removed
>>
>> Simply I'm suggesting that this case is treated as it was a request to
>> have an empty list of accesses for that SID.
> 
> Now re-read the ACL on Windows. The '---' will be seen as a DENY
> ACE. That's the problem. POSIX has no deny ACLs so we have to overload
> no permissions in order to get the essential deny capability.

I'm definitely unable to reproduce what you write with the following
environment:
server: samba-3.0.28a-1ubuntu4.4
client: windows 2000 server

No DENY ACE are re-read from Windows (when needed it's converted to an
empty ALLOW ACE).

The test is rather easy: I've changed the access control from windows
explorer simply taking care to have FILE_READ_ATTRIBUTES and
FILE_READ_EA equal to FILE_READ_DATA (that's the behaviour I'd ask for
samba). To avoid ACE removal by user interface I can leave READ_CONTROL
enabled.

The seen result re-reading the ACE is an empty allow.

This is exactly what I'd expect...



More information about the samba mailing list