Project

General

Profile

Feature #11024

SMB should bypass ACL traverse checking

Added by Gordon Ross 8 days ago. Updated 3 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-15
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Windows and compatible SMB servers implement a "user right" called: Bypass traverse checking https://technet.microsoft.com/en-us/library/cc976473.aspx
which is normally granted to all SMB users.

This privilege is a convenience that allows an administrator to set ACLs on high level directories in a share that technically do not allow ordinary users to "traverse through" (when doing lookup to follow a directory path). For example, it's common to leave the ACLs on the higher level directories at the default, so that only members of the "Administrators" group are granted access. Then on the user's home directory (at some lower level in the hierarchy) they would grant the user some useful access with the ACL at that level. The user is able to traverse through the higher level directories only because they were given the user right to "bypass traverse checking". The ACL on those higher level directories technically does not allow them to traverse through on a lookup.

We typically run into this problem after data import (i.e. via "robocopy") where the ACLs have been preserved, and the system we copy from implements this feature.

Steps to Reproduce:

At top of share, create a directory, ACL has only Full Control for Administrators.
Under that directory, create a subdir, add an ACE for an ordinary user, also full control.
User should be able to navigate to their folder assuming they know the name.
(Note, they can NOT browse to that folder in explorer, but must type in the path.)

Expected Results:
Access allowed.

Actual Results:
Access denied.

History

#1

Updated by Gordon Ross 3 days ago

  • Status changed from New to In Progress
  • Description updated (diff)

Tested per description
In production since early 2017

Also available in: Atom PDF