Project

General

Profile

Actions

Bug #13442

closed

SMB server should try harder to protect SACLs

Added by Matt Barden 4 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
cifs - CIFS server and client
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

In SMB, the System ACL (SACL) is protected by SeSecurityPrivilege: ACCESS_SYSTEM_SECURITY permission is required to modify it, and this permission is only granted to privileged users.

Currently, this is checked when setting security information on existing files; it should also be checked when creating new files with ACCESS_SYSTEM_SECURITY access, or when creating a new file with a security descriptor that contains a SACL.


Files

0001-Test-SACL-permissions-smb2.acls.SACL.patch (7.16 KB) 0001-Test-SACL-permissions-smb2.acls.SACL.patch Adds the 'smb2.acls.SACL' test to smbtorture Matt Barden, 2021-01-30 12:31 AM
Actions #1

Updated by Electric Monk 4 months ago

  • Gerrit CR set to 1161
Actions #2

Updated by Matt Barden 4 months ago

Apply the attached patch to samba, build smbtorture, and run "smbtorture -U user%pass //server/share smb2.acls.SACL". Specify a non-admin user to do negative testing and an admin user to do positive testing.

Actions #3

Updated by Electric Monk 4 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 9e3ab9e9117808af4e738ea3ac45888be11e4045

commit  9e3ab9e9117808af4e738ea3ac45888be11e4045
Author: Matt Barden <matt.barden@nexenta.com>
Date:   2021-01-30T19:02:54.000Z

    13442 SMB server should try harder to protect SACLs
    Reviewed by: Evan Layton <elayton@tintri.com>
    Reviewed by: Gordon Ross <gordon.ross@tintri.com>
    Reviewed by: Roman Strashkin <rstrashkin@tintri.com>
    Reviewed by: Andy Fiddaman <andy@omnios.org>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions

Also available in: Atom PDF