• Ralph Boehme's avatar
    libcli/security: correct access check and maximum access calculation for Owner Rights ACEs · b4289aa3
    Ralph Boehme authored
    We basically must process the Owner Rights ACEs as any other ACE wrt to the
    order of adding granted permissions and checking denied permissions. According
    to MS-DTYP 2.5.3.2 Owner Rights ACEs must be evaluated in the main loop over
    the ACEs in an ACL and the corresponding access_mask must be directly applied
    to bits_remaining. We currently defer this to after the loop over the ACEs in
    ACL, this is wrong.
    
    We just have to do some initial magic to determine if an ACL contains and
    Owner Rights ACEs, and in case it doesn't we grant SEC_STD_WRITE_DAC |
    SEC_STD_READ_CONTROL at the *beginning*. MS-DTYP:
    
    -- the owner of an object is always granted READ_CONTROL and WRITE_DAC.
    CALL SidInToken(Token, SecurityDescriptor.Owner, PrincipalSelfSubst)
    IF SidInToken returns True THEN
       IF DACL does not contain ACEs from object owner THEN
           Remove READ_CONTROL and WRITE_DAC from RemainingAccess
           Set GrantedAccess to GrantedAccess or READ_CONTROL or WRITE_OWNER
       END IF
    END IF
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812Signed-off-by: default avatarRalph Boehme <slow@samba.org>
    Reviewed-by: default avatarJeremy Allison <jra@samba.org>
    (cherry picked from commit 9722f757)
    b4289aa3
Name
Last commit
Last update
..
flapping.d Loading commit data...
gnupg Loading commit data...
knownfail.d Loading commit data...
manage-ca Loading commit data...
target Loading commit data...
README Loading commit data...
SocketWrapper.pm Loading commit data...
Subunit.pm Loading commit data...
TODO Loading commit data...
devel_env.sh Loading commit data...
filter-subunit Loading commit data...
flapping Loading commit data...
format-subunit Loading commit data...
format-subunit-json Loading commit data...
gdb_backtrace Loading commit data...
gdb_backtrace_test.c Loading commit data...
gdb_run Loading commit data...
in_screen Loading commit data...
knownfail Loading commit data...
perf_tests.py Loading commit data...
quick Loading commit data...
save.env.sh Loading commit data...
selftest.pl Loading commit data...
selftest.pl.1 Loading commit data...
selftesthelpers.py Loading commit data...
skip Loading commit data...
skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X Loading commit data...
skip_mit_kdc Loading commit data...
slow Loading commit data...
subunithelper.py Loading commit data...
tap2subunit Loading commit data...
tests.py Loading commit data...
valgrind_run Loading commit data...
wscript Loading commit data...