object_tree_modify_access explanation

Nadezhda Ivanova nivanova at samba.org
Mon Oct 15 01:31:08 MDT 2012 

Hi Matt,
As far as I can remember, this is the intended behavior, for the following
reason:
When we build the object tree, the desired access mask is put in the node -
the access that we are checking for. After that, we walk the aces in the
sd, and if we find an ace that grants us a right we need, we remove this
right from the "desired" mask. If we find an ACE that denies it, the check
fails. If after we have been though all the aces the remaining access mask
in the node is all 0, the access check is successful, else it fails.
Take a look here:
http://msdn.microsoft.com/en-us/library/cc223517%28prot.20%29.aspx
It is possible there is some error in the algorithm, but at the time of
development a lot of python tests were developed and they all passed both
against Windows and Samba.

And many thanks for taking the time to document this code!

Regards,
Nadya

On Mon, Oct 15, 2012 at 7:10 AM, Jeremy Allison <jra at samba.org> wrote:

> On Sat, Oct 13, 2012 at 03:05:33PM -0700, Matthieu Patou wrote:
> > Hello Nadya and Jeremy,
> >
> > I was wandering the ACL code today and tried to do a deeper dive in it
> >
> > I'm a bit puzzled by this function in libcli/security/access_check.c:
> >
> > void object_tree_modify_access(struct object_tree *root,
> >                                uint32_t access_mask)
> > {
> >         root->remaining_access &= ~access_mask;
> >         if (root->num_of_children > 0) {
> >                 int i;
> >                 for (i = 0; i < root->num_of_children; i++) {
> > object_tree_modify_access(&root->children[i], access_mask);
> > }
> > }
> > }
> >
> > My understanding is that we remove the bits set in access_mask in
> > the remaining_access var of root and all its child.
> > But i'm still not convinced that it was what we wanted to acheive.
> >
> >
> > Also I wanted to see if the comments I put in this patch are correct.
>
> I have to admit I have not studies the access control checks
> in the AD code, only the file server. I'll take a look at this,
> but it might have to wait until I get back from Europe on the
> 23rd Oct. If you still need review of this after that date
> please ping me again.
>
> Cheers,
>
>         Jeremy.
>

More information about the samba-technical mailing list