Project

General

Profile

Actions

Bug #13442

closed

SMB server should try harder to protect SACLs

Added by Matt Barden about 1 year ago. Updated 12 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
cifs - CIFS server and client
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

In SMB, the System ACL (SACL) is protected by SeSecurityPrivilege: ACCESS_SYSTEM_SECURITY permission is required to modify it, and this permission is only granted to privileged users.

Currently, this is checked when setting security information on existing files; it should also be checked when creating new files with ACCESS_SYSTEM_SECURITY access, or when creating a new file with a security descriptor that contains a SACL.


Files

0001-Test-SACL-permissions-smb2.acls.SACL.patch (7.16 KB) 0001-Test-SACL-permissions-smb2.acls.SACL.patch Adds the 'smb2.acls.SACL' test to smbtorture Matt Barden, 2021-01-30 12:31 AM
Actions

Also available in: Atom PDF