git.ipfire.org Git - thirdparty/samba.git/commit

author	Jeremy Allison <jra@samba.org>
	Thu, 8 Dec 2016 18:40:18 +0000 (10:40 -0800)
committer	Jeremy Allison <jra@samba.org>
	Sat, 10 Dec 2016 05:24:11 +0000 (06:24 +0100)
commit	29b02cf22f3c0f2d556408e9e768d68c1efc3b96
tree	aaa8afe5b51fcb2e0db06e6912324bc9707b420b	tree
parent	44a01a2d3d15923e14516d5a9ffd195e6fe41e8b	commit \| diff

lib: security: se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries

Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>.

When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the
code OR's in the deny access mask bits without taking into account if
they were being requested in the requested access mask.

E.g. The current logic has:

An ACL containining:

[0] SID: S-1-3-4
    TYPE: DENY
    MASK: WRITE_DATA
[1] SID: S-1-3-4
    TYPE: ALLOW
    MASK: ALLOW_ALL

prohibits an open request by the owner for READ_DATA - even though this
is explicitly allowed.

Furthermore a non-canonical ACL containing:

[0] SID: User SID 1-5-21-something
    TYPE: ALLOW
    MASK: READ_DATA

[1] SID: S-1-3-4
    TYPE: DENY
    MASK: READ_DATA

[2] SID: User SID 1-5-21-something
    TYPE: ALLOW
    MASK: WRITE_DATA

prohibits an open request by the owner for READ_DATA|WRITE_DATA - even
though READ_DATA is explicitly allowed in ACE no 0 and is thus already
filtered out of the "access-still-needed" mask when the deny ACE no 1 is
evaluated.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>