[Samba] SMB2 CREATE + ACCESS_SYSTEM_SECURITY

Jeremy Allison jra at samba.org
Thu Jan 3 11:25:11 MST 2013


On Mon, Dec 31, 2012 at 04:47:56PM +0000, Steve Tice wrote:
> Jeremy Allison <jra <at> samba.org> writes:
> 
> > 
> > On Tue, Dec 18, 2012 at 12:24:04PM -0600, Steve Tice wrote:
> > > Can anybody provide the expected response to an SMB2 CREATE request that
> > > includes ACCESS_SYSTEM_SECURITY in the DesiredAccess mask? I’m particularly
> > > interested in cases where the SMB client is connected as an authenticated
> > > user with administrative (superuser) privileges on the share, and has made
> > > the request on a directory. Should such a client expect full (read/change)
> > > access to the SACL (under any conditions)?
> > > 
> > > The question above is theoretical in nature. Practically speaking, does any
> > > version of the Samba server respond correctly to the request described
> > > above? I have a Windows application that makes such a request, and have
> > > tested it against Samba server versions 3.5.10-125.el6 and 3.6.7. I keep
> > > seeing a response of NT_STATUS_PRIVILEGE_NOT_HELD, and think that's not the
> > > correct response when the client has superuser privileges - but perhaps my
> > > expectation is wrong. If I make the same request while connected to a share
> > > on a Windows server, the response is NT_STATUS_OK.
> > > 
> > > Is there a Samba server configuration change I could make that would affect
> > > the behavior? Is there any setup work to do prior to sending the SMB2
> > > CREATE request (for example, adding a privilege)?
> > 
> > You need to give the connected user the SeSecurity privilege.
> > 
> > Jeremy
> 
> Agreed. The Windows app which reproduces the behavior described above adds the 
> following privileges after creating but before attempting to open the new 
> directory:
> 
> SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> 
> I just noticed that my description above is incorrect. The unexpected behavior 
> occurs when attempting to open (not create) a directory. Here's a copy of the 
> Windows application source:
> --
> // Reproduce-Problem.cpp : Attempt to open a directory with 
> ACCESS_SYSTEM_SECURITY
> // set in the dwDesiredAccess argument.
> //

Those calls to adjust the process token only work locally.
You need to use the net command on the Samba server to
add the privileges there.

Jeremy


More information about the samba mailing list