On Thu, Feb 26, 2009 at 12:26:52AM +0100, François Legal wrote: > > To be honnest, I did not really understand what SACL is. Are you talking > about file and directories ACLs ? > > How do I know if my users have the SE_SECURITY_NAME priviledge. My users > (especially the one who is accessing the file in the log) are normal users > without any specific priviledge (not even doamin admins nor local > workstation admin). However, they're not prevented from setting files and > directories ACLs neither on local nor network drives (they're welcome to as > our filesystems are XFS). > > About the application requesting something specific, I don't know. The > file was created with that same version of MS Word (2007) by that same user > (the one trying to modify it as in the log) but with another samba version > (one of 3.2.0 3.2.2 or 3.2.4) > > Where should I go from here?
Ok, can you try this patch against 3.3.1 ? It might change client behavior, as at the moment we return NT_STATUS_ACCESS_DENIED when a client asks for SEC_FLAG_SYSTEM_SECURITY access to a file (which is a request to get at the system security audit ACL). The patch changes our behavior to return an error of NT_STATUS_PRIVILEGE_NOT_HELD instead, which may then cause the client to fallback to asking for less privileges on the open (thus allowing it to succeed). Thanks, Jeremy.
diff --git a/source/lib/util_seaccess.c b/source/lib/util_seaccess.c index 0da7442..ab0f09b 100644 --- a/source/lib/util_seaccess.c +++ b/source/lib/util_seaccess.c @@ -179,17 +179,20 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, bits_remaining)); } -#if 0 - /* We need to support SeSecurityPrivilege for this. */ if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { +#if 0 + /* We need to support SeSecurityPrivilege for this. */ if (user_has_privileges(token, &sec_security)) { bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; } else { return NT_STATUS_PRIVILEGE_NOT_HELD; } - } +#else + return NT_STATUS_PRIVILEGE_NOT_HELD; + #endif + } /* a NULL dacl allows access */ if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba