1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/libcli
Jeremy Allison 29b02cf22f lib: security: se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries
Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>.

When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the
code OR's in the deny access mask bits without taking into account if
they were being requested in the requested access mask.

E.g. The current logic has:

An ACL containining:

[0] SID: S-1-3-4
    TYPE: DENY
    MASK: WRITE_DATA
[1] SID: S-1-3-4
    TYPE: ALLOW
    MASK: ALLOW_ALL

prohibits an open request by the owner for READ_DATA - even though this
is explicitly allowed.

Furthermore a non-canonical ACL containing:

[0] SID: User SID 1-5-21-something
    TYPE: ALLOW
    MASK: READ_DATA

[1] SID: S-1-3-4
    TYPE: DENY
    MASK: READ_DATA

[2] SID: User SID 1-5-21-something
    TYPE: ALLOW
    MASK: WRITE_DATA

prohibits an open request by the owner for READ_DATA|WRITE_DATA - even
though READ_DATA is explicitly allowed in ACE no 0 and is thus already
filtered out of the "access-still-needed" mask when the deny ACE no 1 is
evaluated.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-12-10 06:24:11 +01:00
..
auth libcli/auth: remove unused variable in msrpc_parse() 2016-07-06 19:07:16 +02:00
cldap s3: cldap: cldap_multi_netlogon_send() fails with one bad IPv6 address. 2016-10-18 02:16:20 +02:00
dns libdns: Small cleanup 2015-12-08 23:01:28 +01:00
drsuapi werror: replace WERR_SEC_E_DECRYPT_FAILURE with HRES_SEC_E_DECRYPT_FAILURE 2016-09-28 00:04:35 +02:00
echo libcli/echo: validate the message length 2012-09-22 04:31:06 +02:00
ldap typo: mplementation => implementation 2016-05-06 05:03:16 +02:00
lsarpc libcli/lsarpc: add struct trustAuthInOutBlob; forward declaration 2014-04-02 09:03:42 +02:00
named_pipe_auth libcli/named_pipe_auth: call smb_set_close_on_exec() in tstream_npa_socketpair() 2015-06-05 14:33:19 +02:00
nbt lib: Rename fgets_slash to x_fgets_slash 2016-11-20 02:28:11 +01:00
netlogon libcli/netlogon: We need to handle a bug in FreeIPA (at least <= 4.1.2). 2015-01-05 17:01:08 +01:00
registry build: Make util_reg subsystem in libcli/registry a library 2011-05-18 16:12:08 +02:00
samsync s3: add some forward declarations. 2011-04-12 12:20:43 +02:00
security lib: security: se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries 2016-12-10 06:24:11 +01:00
smb libcli/smb: add smb1cli_session_setup_ext_send/recv() 2016-11-15 11:00:26 +01:00
smbreadline lib: Remove global xfile.h includes 2016-11-20 06:23:19 +01:00
util werror: removed WERR_RPC_E_INVALID_HEADER (unused, already known as HRES_RPC_E_INVALID_HEADER) 2016-09-28 00:04:36 +02:00