git.ipfire.org Git - thirdparty/samba.git/commit

author	Jeremy Allison <jra@samba.org>
	Thu, 8 Dec 2016 18:40:18 +0000 (10:40 -0800)
committer	Karolin Seeger <kseeger@samba.org>
	Thu, 15 Dec 2016 07:52:31 +0000 (08:52 +0100)
commit	29e228cfe55a0dfd391b7cd7d63b4dcf3faf71cc
tree	c6f38b0a421973dcc9045aea0d791b62a408603d	tree
parent	387368180913af6acdb0911a94123ac0c960cb17	commit \| diff

lib: security: se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries

Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>.

When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the
code OR's in the deny access mask bits without taking into account if
they were being requested in the requested access mask.

E.g. The current logic has:

An ACL containining:

[0] SID: S-1-3-4
    TYPE: DENY
    MASK: WRITE_DATA
[1] SID: S-1-3-4
    TYPE: ALLOW
    MASK: ALLOW_ALL

prohibits an open request by the owner for READ_DATA - even though this
is explicitly allowed.

Furthermore a non-canonical ACL containing:

[0] SID: User SID 1-5-21-something
    TYPE: ALLOW
    MASK: READ_DATA

[1] SID: S-1-3-4
    TYPE: DENY
    MASK: READ_DATA

[2] SID: User SID 1-5-21-something
    TYPE: ALLOW
    MASK: WRITE_DATA

prohibits an open request by the owner for READ_DATA|WRITE_DATA - even
though READ_DATA is explicitly allowed in ACE no 0 and is thus already
filtered out of the "access-still-needed" mask when the deny ACE no 1 is
evaluated.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 29b02cf22f3c0f2d556408e9e768d68c1efc3b96)