Project

General

Profile

Feature #11024

SMB should bypass ACL traverse checking

Added by Gordon Ross 5 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-15
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Windows and compatible SMB servers implement a "user right" called: Bypass traverse checking https://technet.microsoft.com/en-us/library/cc976473.aspx
which is normally granted to all SMB users.

This privilege is a convenience that allows an administrator to set ACLs on high level directories in a share that technically do not allow ordinary users to "traverse through" (when doing lookup to follow a directory path). For example, it's common to leave the ACLs on the higher level directories at the default, so that only members of the "Administrators" group are granted access. Then on the user's home directory (at some lower level in the hierarchy) they would grant the user some useful access with the ACL at that level. The user is able to traverse through the higher level directories only because they were given the user right to "bypass traverse checking". The ACL on those higher level directories technically does not allow them to traverse through on a lookup.

We typically run into this problem after data import (i.e. via "robocopy") where the ACLs have been preserved, and the system we copy from implements this feature.

Steps to Reproduce:

At top of share, create a directory, ACL has only Full Control for Administrators.
Under that directory, create a subdir, add an ACE for an ordinary user, also full control.
User should be able to navigate to their folder assuming they know the name.
(Note, they can NOT browse to that folder in explorer, but must type in the path.)

Expected Results:
Access allowed.

Actual Results:
Access denied.

History

#1

Updated by Gordon Ross 5 months ago

  • Description updated (diff)
  • Status changed from New to In Progress

Tested per description
In production since early 2017

#2

Updated by Electric Monk 2 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit cc3780e66ce1eea52e650b27b7dc5ad62d24eec2

commit  cc3780e66ce1eea52e650b27b7dc5ad62d24eec2
Author: Gordon Ross <gwr@nexenta.com>
Date:   2019-08-10T14:05:21.000Z

    11024 SMB should bypass ACL traverse checking
    Reviewed by: Evan Layton <evan.layton@nexenta.com>
    Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
    Approved by: Garrett D'Amore <garrett@damore.org>

Also available in: Atom PDF