[Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set

Jeremy Allison jra at samba.org
Tue Feb 28 10:42:06 MST 2012


On Mon, Feb 27, 2012 at 04:55:29PM -0800, Jeremy Allison wrote:
> On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote:
> > ---------- Forwarded message ----------
> > From: Tom Lee <tlee2951 at gmail.com>
> > Date: Mon, Feb 27, 2012 at 3:10 PM
> > Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask
> > has System Security bit set
> > To: Jeremy Allison <jra at samba.org>
> > 
> > 
> > Jeremy thanks for your response.  I didn't actually build Samba from
> > sources I'm just running the version of Samba that comes with OpenSuse
> > v12.1 which is 3.6.1-34.3.1.x86_64 .
> > 
> > I'm pretty sure the chunk of code inside libcli/security/access_check.c you
> > mentioned is enabled with this version, since before I gave the
> > Administrator user SeSecurityPrivilege I was getting the
> > NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that
> > error went away. But then I started getting the NT_STATUS_ACCESS_DENIED
> > coming from the check in open.c smbd_calculate_access_mask.
> > 
> > Please let me know if there is something else I should try or if you need
> > any additional info on my configuration. Thanks.
> 
> Ok, I've figured it out. The share security mask isn't being
> set correctly when you have these privileges.
> 
> If you can build from source code, can you test the
> following patch (should apply cleanly to 3.6.x) ?

Actually, ignore that previous patch (breaks other tests).
Try this one instead - I think this fixes the problem in
the right place.

Jeremy.
-------------- next part --------------
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 34b24f3..f57e57f 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -732,6 +732,33 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
 }
 
 /****************************************************************************
+  Setup the share access mask for a connection.
+****************************************************************************/
+
+static void create_share_access_mask(connection_struct *conn, int snum)
+{
+	const struct security_token *token = conn->session_info->security_token;
+
+	share_access_check(token,
+			lp_servicename(snum),
+			MAXIMUM_ALLOWED_ACCESS,
+			&conn->share_access);
+
+	if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
+		conn->share_access |= SEC_FLAG_SYSTEM_SECURITY;
+	}
+	if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+		conn->share_access |= (SEC_RIGHTS_PRIV_RESTORE);
+	}
+	if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+		conn->share_access |= (SEC_RIGHTS_PRIV_BACKUP);
+	}
+	if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+		conn->share_access |= (SEC_STD_WRITE_OWNER);
+	}
+}
+
+/****************************************************************************
   Make a connection, given the snum to connect to, and the vuser of the
   connecting user if appropriate.
 ****************************************************************************/
@@ -845,9 +872,7 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc
 	 *
 	 */
 
-	share_access_check(conn->session_info->security_token,
-			   lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS,
-			   &conn->share_access);
+	create_share_access_mask(conn, snum);
 
 	if ((conn->share_access & FILE_WRITE_DATA) == 0) {
 		if ((conn->share_access & FILE_READ_DATA) == 0) {


More information about the samba mailing list