Actions
Bug #13442
closed
SMB server should try harder to protect SACLs
Start date:
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:
Description
In SMB, the System ACL (SACL) is protected by SeSecurityPrivilege: ACCESS_SYSTEM_SECURITY permission is required to modify it, and this permission is only granted to privileged users.
Currently, this is checked when setting security information on existing files; it should also be checked when creating new files with ACCESS_SYSTEM_SECURITY access, or when creating a new file with a security descriptor that contains a SACL.
Files
Updated by Matt Barden over 2 years ago
- File 0001-Test-SACL-permissions-smb2.acls.SACL.patch 0001-Test-SACL-permissions-smb2.acls.SACL.patch added
Apply the attached patch to samba, build smbtorture, and run "smbtorture -U user%pass //server/share smb2.acls.SACL". Specify a non-admin user to do negative testing and an admin user to do positive testing.
Updated by Electric Monk over 2 years ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
git commit 9e3ab9e9117808af4e738ea3ac45888be11e4045
commit 9e3ab9e9117808af4e738ea3ac45888be11e4045
Author: Matt Barden <matt.barden@nexenta.com>
Date: 2021-01-30T19:02:54.000Z
13442 SMB server should try harder to protect SACLs
Reviewed by: Evan Layton <elayton@tintri.com>
Reviewed by: Gordon Ross <gordon.ross@tintri.com>
Reviewed by: Roman Strashkin <rstrashkin@tintri.com>
Reviewed by: Andy Fiddaman <andy@omnios.org>
Approved by: Robert Mustacchi <rm@fingolfin.org>
Actions