SMB should bypass ACL traverse checking
Windows and compatible SMB servers implement a "user right" called: Bypass traverse checking https://technet.microsoft.com/en-us/library/cc976473.aspx
which is normally granted to all SMB users.
This privilege is a convenience that allows an administrator to set ACLs on high level directories in a share that technically do not allow ordinary users to "traverse through" (when doing lookup to follow a directory path). For example, it's common to leave the ACLs on the higher level directories at the default, so that only members of the "Administrators" group are granted access. Then on the user's home directory (at some lower level in the hierarchy) they would grant the user some useful access with the ACL at that level. The user is able to traverse through the higher level directories only because they were given the user right to "bypass traverse checking". The ACL on those higher level directories technically does not allow them to traverse through on a lookup.
We typically run into this problem after data import (i.e. via "robocopy") where the ACLs have been preserved, and the system we copy from implements this feature.
Steps to Reproduce:
At top of share, create a directory, ACL has only Full Control for Administrators.
Under that directory, create a subdir, add an ACE for an ordinary user, also full control.
User should be able to navigate to their folder assuming they know the name.
(Note, they can NOT browse to that folder in explorer, but must type in the path.)
Updated by Electric Monk 2 months ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit cc3780e66ce1eea52e650b27b7dc5ad62d24eec2 Author: Gordon Ross <firstname.lastname@example.org> Date: 2019-08-10T14:05:21.000Z 11024 SMB should bypass ACL traverse checking Reviewed by: Evan Layton <email@example.com> Reviewed by: Roman Strashkin <firstname.lastname@example.org> Approved by: Garrett D'Amore <email@example.com>