SMB server should try harder to protect SACLs
In SMB, the System ACL (SACL) is protected by SeSecurityPrivilege: ACCESS_SYSTEM_SECURITY permission is required to modify it, and this permission is only granted to privileged users.
Currently, this is checked when setting security information on existing files; it should also be checked when creating new files with ACCESS_SYSTEM_SECURITY access, or when creating a new file with a security descriptor that contains a SACL.
Updated by Matt Barden 10 months ago
- File 0001-Test-SACL-permissions-smb2.acls.SACL.patch 0001-Test-SACL-permissions-smb2.acls.SACL.patch added
Apply the attached patch to samba, build smbtorture, and run "smbtorture -U user%pass //server/share smb2.acls.SACL". Specify a non-admin user to do negative testing and an admin user to do positive testing.
Updated by Electric Monk 10 months ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit 9e3ab9e9117808af4e738ea3ac45888be11e4045 Author: Matt Barden <email@example.com> Date: 2021-01-30T19:02:54.000Z 13442 SMB server should try harder to protect SACLs Reviewed by: Evan Layton <firstname.lastname@example.org> Reviewed by: Gordon Ross <email@example.com> Reviewed by: Roman Strashkin <firstname.lastname@example.org> Reviewed by: Andy Fiddaman <email@example.com> Approved by: Robert Mustacchi <firstname.lastname@example.org>