[Samba] Can't modify ms word files with samba 3.3
Jeremy Allison
jra at samba.org
Wed Mar 4 16:46:44 GMT 2009
On Thu, Feb 26, 2009 at 12:26:52AM +0100, François Legal wrote:
>
> To be honnest, I did not really understand what SACL is. Are you talking
> about file and directories ACLs ?
>
> How do I know if my users have the SE_SECURITY_NAME priviledge. My users
> (especially the one who is accessing the file in the log) are normal users
> without any specific priviledge (not even doamin admins nor local
> workstation admin). However, they're not prevented from setting files and
> directories ACLs neither on local nor network drives (they're welcome to as
> our filesystems are XFS).
>
> About the application requesting something specific, I don't know. The
> file was created with that same version of MS Word (2007) by that same user
> (the one trying to modify it as in the log) but with another samba version
> (one of 3.2.0 3.2.2 or 3.2.4)
>
> Where should I go from here?
Ok, can you try this patch against 3.3.1 ? It might change
client behavior, as at the moment we return NT_STATUS_ACCESS_DENIED
when a client asks for SEC_FLAG_SYSTEM_SECURITY access to a file
(which is a request to get at the system security audit ACL).
The patch changes our behavior to return an error of NT_STATUS_PRIVILEGE_NOT_HELD
instead, which may then cause the client to fallback to asking
for less privileges on the open (thus allowing it to succeed).
Thanks,
Jeremy.
-------------- next part --------------
diff --git a/source/lib/util_seaccess.c b/source/lib/util_seaccess.c
index 0da7442..ab0f09b 100644
--- a/source/lib/util_seaccess.c
+++ b/source/lib/util_seaccess.c
@@ -179,17 +179,20 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
bits_remaining));
}
-#if 0
- /* We need to support SeSecurityPrivilege for this. */
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
+#if 0
+ /* We need to support SeSecurityPrivilege for this. */
if (user_has_privileges(token, &sec_security)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
- }
+#else
+ return NT_STATUS_PRIVILEGE_NOT_HELD;
+
#endif
+ }
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
More information about the samba
mailing list