[Samba] Can't modify ms word files with samba 3.3

Jeremy Allison jra at samba.org
Wed Mar 4 16:46:44 GMT 2009


On Thu, Feb 26, 2009 at 12:26:52AM +0100, François Legal wrote:
> 
> To be honnest, I did not really understand what SACL is. Are you talking
> about file and directories ACLs ?
> 
> How do I know if my users have the SE_SECURITY_NAME  priviledge. My users
> (especially the one who is accessing the file in the log) are normal users
> without any specific priviledge (not even doamin admins nor local
> workstation admin). However, they're not prevented from setting files and
> directories ACLs neither on local nor network drives (they're welcome to as
> our filesystems are XFS).
> 
> About the application requesting something specific, I don't know. The
> file was created with that same version of MS Word (2007) by that same user
> (the one trying to modify it as in the log) but with another samba version
> (one of 3.2.0 3.2.2 or 3.2.4)
> 
> Where should I go from here?

Ok, can you try this patch against 3.3.1 ? It might change
client behavior, as at the moment we return NT_STATUS_ACCESS_DENIED
when a client asks for SEC_FLAG_SYSTEM_SECURITY access to a file
(which is a request to get at the system security audit ACL).

The patch changes our behavior to return an error of NT_STATUS_PRIVILEGE_NOT_HELD
instead, which may then cause the client to fallback to asking
for less privileges on the open (thus allowing it to succeed).

Thanks,

Jeremy.
-------------- next part --------------
diff --git a/source/lib/util_seaccess.c b/source/lib/util_seaccess.c
index 0da7442..ab0f09b 100644
--- a/source/lib/util_seaccess.c
+++ b/source/lib/util_seaccess.c
@@ -179,17 +179,20 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 			bits_remaining));
 	}
 
-#if 0
-	/* We need to support SeSecurityPrivilege for this. */
 
 	if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
+#if 0
+		/* We need to support SeSecurityPrivilege for this. */
 		if (user_has_privileges(token, &sec_security)) {
 			bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
 		} else {
 			return NT_STATUS_PRIVILEGE_NOT_HELD;
 		}
-	}
+#else
+		return NT_STATUS_PRIVILEGE_NOT_HELD;
+
 #endif
+	}
 
 	/* a NULL dacl allows access */
 	if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {


More information about the samba mailing list