git.samba.org - martins/samba-autobuild/.git/commit

author	Ralph Boehme <slow@samba.org>
	Fri, 1 Mar 2019 17:20:35 +0000 (18:20 +0100)
committer	Karolin Seeger <kseeger@samba.org>
	Mon, 11 Mar 2019 07:55:38 +0000 (07:55 +0000)
commit	1dc2e296f1749c3efff8b2e779b0c5e0f50cef34
tree	026fa06ed91fe8fe67f8048dad7f69ac4559cb1b	tree
parent	3026c1a36c310ab9759a9700fb023e439dd6b335	commit \| diff

libcli/security: correct access check and maximum access calculation for Owner Rights ACEs

We basically must process the Owner Rights ACEs as any other ACE wrt to the
order of adding granted permissions and checking denied permissions. According
to MS-DTYP 2.5.3.2 Owner Rights ACEs must be evaluated in the main loop over
the ACEs in an ACL and the corresponding access_mask must be directly applied
to bits_remaining. We currently defer this to after the loop over the ACEs in
ACL, this is wrong.

We just have to do some initial magic to determine if an ACL contains and
Owner Rights ACEs, and in case it doesn't we grant SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL at the *beginning*. MS-DTYP:

-- the owner of an object is always granted READ_CONTROL and WRITE_DAC.
CALL SidInToken(Token, SecurityDescriptor.Owner, PrincipalSelfSubst)
IF SidInToken returns True THEN
   IF DACL does not contain ACEs from object owner THEN
       Remove READ_CONTROL and WRITE_DAC from RemainingAccess
       Set GrantedAccess to GrantedAccess or READ_CONTROL or WRITE_OWNER
   END IF
END IF

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9722f75757c0e38c7f42c7cc310d56aa6eaf6392)

libcli/security/access_check.c		diff \| blob \| history
selftest/knownfail.d/smb2.acls	[deleted file]	blob \| history