summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Beale <timbeale@catalyst.net.nz>2018-07-20 13:01:00 +1200
committerKarolin Seeger <kseeger@samba.org>2018-08-13 09:13:36 +0200
commitf6cbad5f5039570973ecb7dfa4686eb384fe6f7f (patch)
tree39630cd29f7c48afe21fd4dc1a5dc5fb96039833
parent873ccd079f2d21bba22624a79c6bf14bc38e80ad (diff)
downloadsamba-f6cbad5f5039570973ecb7dfa4686eb384fe6f7f.tar.gz
CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR) rights to a specific attribute would not actually grant access. What was happening was the remaining_access mask for the object_tree nodes would be Read Property (RP) + Control Access (CR). The ACE mapped to the schemaIDGUID for a given attribute, which would end up being a child node in the tree. So the CR bit was cleared for a child node, but not the rest of the tree. We would then check the user had the RP access right, which it did. However, the RP right was cleared for another node in the tree, which still had the CR bit set in its remaining_access bitmap, so Samba would not grant access. Generally, the remaining_access only ever has one bit set, which means this isn't a problem normally. However, in the Control Access case there are 2 separate bits being checked, i.e. RP + CR. One option to fix this problem would be to clear the remaining_access for the tree instead of just the node. However, the Windows spec is actually pretty clear on this: if the ACE has a CR right present, then you can stop any further access checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
-rw-r--r--libcli/security/access_check.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 93eb85def91..03a7dca4adf 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -429,6 +429,16 @@ static NTSTATUS check_object_specific_access(struct security_ace *ace,
*grant_access = true;
return NT_STATUS_OK;
}
+
+ /*
+ * As per 5.1.3.3.4 Checking Control Access Right-Based Access,
+ * if the CONTROL_ACCESS right is present, then we can grant
+ * access and stop any further access checks
+ */
+ if (ace->access_mask & SEC_ADS_CONTROL_ACCESS) {
+ *grant_access = true;
+ return NT_STATUS_OK;
+ }
} else {
/* this ACE denies access to the requested object/attribute */