sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-21 18:04:06 +03:00
Code
samba-mirror/libcli
History
Jeremy Allison 8cdedfb6d7 lib: security: se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries 
Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>.

When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the
code OR's in the deny access mask bits without taking into account if
they were being requested in the requested access mask.

E.g. The current logic has:

An ACL containining:

[0] SID: S-1-3-4
    TYPE: DENY
    MASK: WRITE_DATA
[1] SID: S-1-3-4
    TYPE: ALLOW
    MASK: ALLOW_ALL

prohibits an open request by the owner for READ_DATA - even though this
is explicitly allowed.

Furthermore a non-canonical ACL containing:

[0] SID: User SID 1-5-21-something
    TYPE: ALLOW
    MASK: READ_DATA

[1] SID: S-1-3-4
    TYPE: DENY
    MASK: READ_DATA

[2] SID: User SID 1-5-21-something
    TYPE: ALLOW
    MASK: WRITE_DATA

prohibits an open request by the owner for READ_DATA|WRITE_DATA - even
though READ_DATA is explicitly allowed in ACE no 0 and is thus already
filtered out of the "access-still-needed" mask when the deny ACE no 1 is
evaluated.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 29b02cf22f3c0f2d556408e9e768d68c1efc3b96)
2017-01-02 11:56:53 +01:00
..
auth
libcli/auth: let msrpc_parse() return talloc'ed empty strings
2016-05-17 14:42:22 +02:00
cldap
s3: cldap: cldap_multi_netlogon_send() fails with one bad IPv6 address.
2016-10-24 10:56:13 +02:00
dns
libdns: Small cleanup
2015-12-08 23:01:28 +01:00
drsuapi
samdb: Add explicit dependency on ldb.
2016-01-13 04:43:22 +01:00
echo
libcli/echo: validate the message length
2012-09-22 04:31:06 +02:00
ldap
Rename 'errors' to 'samba-errors' and make it public.
2016-01-13 07:47:04 +01:00
lsarpc
libcli/lsarpc: add struct trustAuthInOutBlob; forward declaration
2014-04-02 09:03:42 +02:00
named_pipe_auth
libcli/named_pipe_auth: call smb_set_close_on_exec() in tstream_npa_socketpair()
2015-06-05 14:33:19 +02:00
nbt
dlist: remove unneeded type argument from DLIST_ADD_END()
2016-03-04 11:40:10 +01:00
netlogon
libcli/netlogon: We need to handle a bug in FreeIPA (at least <= 4.1.2).
2015-01-05 17:01:08 +01:00
registry
build: Make util_reg subsystem in libcli/registry a library
2011-05-18 16:12:08 +02:00
samsync
s3: add some forward declarations.
2011-04-12 12:20:43 +02:00
security
lib: security: se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries
2017-01-02 11:56:53 +01:00
smb
CVE-2016-2019: libcli/smb: don't allow guest sessions if we require signing
2016-07-05 09:20:55 +02:00
smbreadline
Change the libreadline word-break character set to only space, TAB and NL so that we can attempt to do tab completion across backslashes.
2015-10-07 04:16:24 +02:00
util
Rename 'errors' to 'samba-errors' and make it public.
2016-01-13 07:47:04 +01:00