summaryrefslogtreecommitdiff
path: root/libcli/security
diff options
context:
space:
mode:
authorTim Beale <timbeale@catalyst.net.nz>2018-07-20 13:01:00 +1200
committerKarolin Seeger <kseeger@samba.org>2018-08-14 13:57:16 +0200
commitba46578f97ab35ac12ea0bd298c4180363224675 (patch)
treef34e0fe638e718903cd4c07254d44066806ec25f /libcli/security
parent563e454e8c55e94a9509c935468b636fe0d8eb97 (diff)
downloadsamba-ba46578f97ab35ac12ea0bd298c4180363224675.tar.gz
CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR) rights to a specific attribute would not actually grant access. What was happening was the remaining_access mask for the object_tree nodes would be Read Property (RP) + Control Access (CR). The ACE mapped to the schemaIDGUID for a given attribute, which would end up being a child node in the tree. So the CR bit was cleared for a child node, but not the rest of the tree. We would then check the user had the RP access right, which it did. However, the RP right was cleared for another node in the tree, which still had the CR bit set in its remaining_access bitmap, so Samba would not grant access. Generally, the remaining_access only ever has one bit set, which means this isn't a problem normally. However, in the Control Access case there are 2 separate bits being checked, i.e. RP + CR. One option to fix this problem would be to clear the remaining_access for the tree instead of just the node. However, the Windows spec is actually pretty clear on this: if the ACE has a CR right present, then you can stop any further access checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'libcli/security')
-rw-r--r--libcli/security/access_check.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 93eb85def91..03a7dca4adf 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -429,6 +429,16 @@ static NTSTATUS check_object_specific_access(struct security_ace *ace,
*grant_access = true;
return NT_STATUS_OK;
}
+
+ /*
+ * As per 5.1.3.3.4 Checking Control Access Right-Based Access,
+ * if the CONTROL_ACCESS right is present, then we can grant
+ * access and stop any further access checks
+ */
+ if (ace->access_mask & SEC_ADS_CONTROL_ACCESS) {
+ *grant_access = true;
+ return NT_STATUS_OK;
+ }
} else {
/* this ACE denies access to the requested object/attribute */