[Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set

Jeremy Allison jra at samba.org
Mon Feb 27 17:55:29 MST 2012


On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote:
> ---------- Forwarded message ----------
> From: Tom Lee <tlee2951 at gmail.com>
> Date: Mon, Feb 27, 2012 at 3:10 PM
> Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask
> has System Security bit set
> To: Jeremy Allison <jra at samba.org>
> 
> 
> Jeremy thanks for your response.  I didn't actually build Samba from
> sources I'm just running the version of Samba that comes with OpenSuse
> v12.1 which is 3.6.1-34.3.1.x86_64 .
> 
> I'm pretty sure the chunk of code inside libcli/security/access_check.c you
> mentioned is enabled with this version, since before I gave the
> Administrator user SeSecurityPrivilege I was getting the
> NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that
> error went away. But then I started getting the NT_STATUS_ACCESS_DENIED
> coming from the check in open.c smbd_calculate_access_mask.
> 
> Please let me know if there is something else I should try or if you need
> any additional info on my configuration. Thanks.

Ok, I've figured it out. The share security mask isn't being
set correctly when you have these privileges.

If you can build from source code, can you test the
following patch (should apply cleanly to 3.6.x) ?

Jeremy.
-------------- next part --------------
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index a9b618f..0fbfeaa 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -115,6 +115,21 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 		granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
 	}
 
+	if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
+		granted |= SEC_FLAG_SYSTEM_SECURITY;
+	}
+
+	if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+		granted |= (SEC_RIGHTS_PRIV_RESTORE);
+	}
+	if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+		granted |= (SEC_RIGHTS_PRIV_BACKUP);
+	}
+
+	if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+		granted |= (SEC_STD_WRITE_OWNER);
+	}
+
 	if (sd->dacl == NULL) {
 		return granted & ~denied;
 	}


More information about the samba mailing list