diff options
| author | Ralph Boehme <slow@samba.org> | 2019-02-27 18:07:03 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2019-03-11 07:52:24 +0000 |
| commit | 2fd618413dbf3cb47391518b3bee180a2b76aada (patch) | |
| tree | 9cc3985de4c2ccf214b1c9b52573ae6f3b91c21d | |
| parent | 7ab6b04558c426f31a110e82b4db449fdb282cc8 (diff) | |
| download | samba-2fd618413dbf3cb47391518b3bee180a2b76aada.tar.gz | |
libcli/security: add "Owner Rights" calculation to access_check_max_allowed()
This was missing in 44590c1b70c0a24f853c02d5fcdb3c609401e2ca.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144
(cherry picked from commit 5cf0764bc4b65dbc59d8626760dbe946a2234833)
| -rw-r--r-- | libcli/security/access_check.c | 33 | ||||
| -rw-r--r-- | selftest/knownfail.d/smb2.acls | 2 |
2 files changed, 28 insertions, 7 deletions
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index 03a7dca4adf..5d49b718f0c 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -110,13 +110,15 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, { uint32_t denied = 0, granted = 0; unsigned i; - - if (security_token_has_sid(token, sd->owner_sid)) { - granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL; - } + uint32_t owner_rights_allowed = 0; + uint32_t owner_rights_denied = 0; + bool owner_rights_default = true; if (sd->dacl == NULL) { - return granted & ~denied; + if (security_token_has_sid(token, sd->owner_sid)) { + granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL; + } + return granted; } for (i = 0;i<sd->dacl->num_aces; i++) { @@ -126,6 +128,18 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, continue; } + if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) { + if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) { + owner_rights_allowed |= ace->access_mask; + owner_rights_default = false; + } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { + owner_rights_denied |= (owner_rights_allowed & + ace->access_mask); + owner_rights_default = false; + } + continue; + } + if (!security_token_has_sid(token, &ace->trustee)) { continue; } @@ -143,6 +157,15 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, } } + if (security_token_has_sid(token, sd->owner_sid)) { + if (owner_rights_default) { + granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL; + } else { + granted |= owner_rights_allowed; + granted &= ~owner_rights_denied; + } + } + return granted & ~denied; } diff --git a/selftest/knownfail.d/smb2.acls b/selftest/knownfail.d/smb2.acls deleted file mode 100644 index 733a79381ac..00000000000 --- a/selftest/knownfail.d/smb2.acls +++ /dev/null @@ -1,2 +0,0 @@ -^samba3.smb2.acls.OWNER-RIGHTS\(ad_dc\) -^samba3.smb2.acls.OWNER-RIGHTS\(nt4_dc\) |