summaryrefslogtreecommitdiff
path: root/libcli/security/util_sid.c
diff options
context:
space:
mode:
authorTim Beale <timbeale@catalyst.net.nz>2018-07-20 13:01:00 +1200
committerKarolin Seeger <kseeger@samba.org>2018-08-11 08:16:01 +0200
commita90cb03e19e06eeb32536d02c111bdb0bc3d927d (patch)
treee16ff8c0fc9cf88de0b9b91bfd457e0cf1d0f076 /libcli/security/util_sid.c
parent03dba18bc99f5e37821bfde9c138b012e730d4c7 (diff)
downloadsamba-a90cb03e19e06eeb32536d02c111bdb0bc3d927d.tar.gz
CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR) rights to a specific attribute would not actually grant access. What was happening was the remaining_access mask for the object_tree nodes would be Read Property (RP) + Control Access (CR). The ACE mapped to the schemaIDGUID for a given attribute, which would end up being a child node in the tree. So the CR bit was cleared for a child node, but not the rest of the tree. We would then check the user had the RP access right, which it did. However, the RP right was cleared for another node in the tree, which still had the CR bit set in its remaining_access bitmap, so Samba would not grant access. Generally, the remaining_access only ever has one bit set, which means this isn't a problem normally. However, in the Control Access case there are 2 separate bits being checked, i.e. RP + CR. One option to fix this problem would be to clear the remaining_access for the tree instead of just the node. However, the Windows spec is actually pretty clear on this: if the ACE has a CR right present, then you can stop any further access checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Diffstat (limited to 'libcli/security/util_sid.c')
0 files changed, 0 insertions, 0 deletions