Project

General

Profile

Bug #13442

SMB server should try harder to protect SACLs

Added by Matt Barden 12 days ago. Updated 12 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
cifs - CIFS server and client
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

In SMB, the System ACL (SACL) is protected by SeSecurityPrivilege: ACCESS_SYSTEM_SECURITY permission is required to modify it, and this permission is only granted to privileged users.

Currently, this is checked when setting security information on existing files; it should also be checked when creating new files with ACCESS_SYSTEM_SECURITY access, or when creating a new file with a security descriptor that contains a SACL.

#1

Updated by Electric Monk 12 days ago

  • Gerrit CR set to 1161

Also available in: Atom PDF