On Mon, Feb 27, 2012 at 04:55:29PM -0800, Jeremy Allison wrote: > On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote: > > ---------- Forwarded message ---------- > > From: Tom Lee <tlee2...@gmail.com> > > Date: Mon, Feb 27, 2012 at 3:10 PM > > Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask > > has System Security bit set > > To: Jeremy Allison <j...@samba.org> > > > > > > Jeremy thanks for your response. I didn't actually build Samba from > > sources I'm just running the version of Samba that comes with OpenSuse > > v12.1 which is 3.6.1-34.3.1.x86_64 . > > > > I'm pretty sure the chunk of code inside libcli/security/access_check.c you > > mentioned is enabled with this version, since before I gave the > > Administrator user SeSecurityPrivilege I was getting the > > NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that > > error went away. But then I started getting the NT_STATUS_ACCESS_DENIED > > coming from the check in open.c smbd_calculate_access_mask. > > > > Please let me know if there is something else I should try or if you need > > any additional info on my configuration. Thanks. > > Ok, I've figured it out. The share security mask isn't being > set correctly when you have these privileges. > > If you can build from source code, can you test the > following patch (should apply cleanly to 3.6.x) ?
Actually, ignore that previous patch (breaks other tests). Try this one instead - I think this fixes the problem in the right place. Jeremy.
diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 34b24f3..f57e57f 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -732,6 +732,33 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) } /**************************************************************************** + Setup the share access mask for a connection. +****************************************************************************/ + +static void create_share_access_mask(connection_struct *conn, int snum) +{ + const struct security_token *token = conn->session_info->security_token; + + share_access_check(token, + lp_servicename(snum), + MAXIMUM_ALLOWED_ACCESS, + &conn->share_access); + + if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { + conn->share_access |= SEC_FLAG_SYSTEM_SECURITY; + } + if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { + conn->share_access |= (SEC_RIGHTS_PRIV_RESTORE); + } + if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) { + conn->share_access |= (SEC_RIGHTS_PRIV_BACKUP); + } + if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { + conn->share_access |= (SEC_STD_WRITE_OWNER); + } +} + +/**************************************************************************** Make a connection, given the snum to connect to, and the vuser of the connecting user if appropriate. ****************************************************************************/ @@ -845,9 +872,7 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc * */ - share_access_check(conn->session_info->security_token, - lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS, - &conn->share_access); + create_share_access_mask(conn, snum); if ((conn->share_access & FILE_WRITE_DATA) == 0) { if ((conn->share_access & FILE_READ_DATA) == 0) {
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba