Hi Volker: We have completed our investigation regarding your inquiry on WRITE_DAC permission on a share. The steps through which access check must go before an operation is allowed is as follows:
1. The desired access is checked against the share permissions. If any of the desired access bits are not set in the share permission, access is denied regardless of what access rights user has for the file, directory, etc., consistent with the situation as described in our initial response. 2. If share permission check results in access allowed, then SMB server makes the request to the object store which runs its own access checks. As part of discretionary access control, Windows always allows a security descriptor to be optionally provided when creating a file. And, the share access/file access needed to create a file does not require WRITE_DAC access. So, as part of creating a file, you can write a custom DACL without requesting WRITE_DAC. If you notice in your trace change.cap, frame 11 that the desired access for NT TRANSACT CREATE does not include WRITE_DAC. As such, it passes the share access check. In case of frame 15 of change.cap, you are specifically requesting WRITE_DAC access and this bit is not set in share permissions for this particular user. Therefore, the second access is denied. MS-CIFS/MS-SMB/MS-SMB2 will be modified to document the role of share permissions along the lines of the description above. Please let me know if it answers your question. If it does, I'll consider this issue resolved. Regards, Obaid Farooqi Escalation Engineer | Microsoft Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at allis...@microsoft.com -----Original Message----- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Tuesday, June 28, 2011 11:57 AM To: Obaid Farooqi Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email Subject: Re: [Pfif] [REG:111052652308584] [ttal...@microsoft.com: Reminder -- share secdesc and smb2 echo?] On Tue, Jun 28, 2011 at 04:55:53PM +0000, Obaid Farooqi wrote: > Hi Volker: > The information you gave is sufficient. We are still working on it. > I'll be in touch as soon as I have an answer. Any expected timeframe? I have customers sitting on my back. We might have to implement a short-term hack if this takes weeks or months. Thanks, Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen Microsoft is committed to protecting your privacy. Please read the Microsoft Privacy Statement for more information.The above is an email for a support case from Microsoft Corp.REPLY ALL TO THIS MESSAGE or INCLUDE casem...@microsoft.com IN YOUR REPLY if you want your response added to the case automatically. For technical assistance, please include the Support Engineer on the TO: line. Thank you. _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
