git.samba.org - samba.git/commit

author	Stefan Metzmacher <metze@samba.org>
	Wed, 20 Aug 2014 11:58:38 +0000 (13:58 +0200)
committer	Stefan Metzmacher <metze@samba.org>
	Thu, 21 Aug 2014 22:28:08 +0000 (00:28 +0200)
commit	1b3ee5e5a336064f324715d46f80661305d93c28
tree	d8516e29871d2a866209b1f708eefd7ed9eb7a7f	tree
parent	f56bfffa51d86f96f0e71cf0c3fe23f1008ddd88	commit \| diff

s3:smbd: mask security_information input values with SMB_SUPPORTED_SECINFO_FLAGS

Sometimes Windows clients doesn't filter SECINFO_[UN]PROTECTED_[D|S]ACL flags
before sending the security_information to the server.

security_information = SECINFO_PROTECTED_DACL| SECINFO_DACL
results in a NULL dacl being returned from an GetSecurityDecriptor
request. This happens because posix_get_nt_acl_common()
has the following logic:

if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) {
... create DACL ...
}

I'm not sure if the logic is correct or wrong in this place (I guess it's
wrong...).

But what I know is that the SMB server should filter the given
security_information flags before passing to the filesystem.

[MS-SMB2] 3.3.5.20.3 Handling SMB2_0_INFO_SECURITY
...
The server MUST ignore any flag value in the AdditionalInformation field that
is not specified in section 2.2.37.

Section 2.2.37 lists:
OWNER_SECURITY_INFORMATION
GROUP_SECURITY_INFORMATION
DACL_SECURITY_INFORMATION
SACL_SECURITY_INFORMATION
LABEL_SECURITY_INFORMATION
ATTRIBUTE_SECURITY_INFORMATION
SCOPE_SECURITY_INFORMATION
BACKUP_SECURITY_INFORMATION

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10773

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

source3/smbd/nttrans.c		diff \| blob \| history
source3/smbd/posix_acls.c		diff \| blob \| history
source3/smbd/smb2_getinfo.c		diff \| blob \| history
source3/smbd/smb2_setinfo.c		diff \| blob \| history