-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Tridgell wrote:

| The "generic" bits are all mapped to "specific" bits
| as soon as the access mask is received by the server.

I understand the difference between standard and generic
bits see the other mail I sent you off list.

| So if there is any code in Samba3 that ever looks
| at the generic bits for any other purpose than mapping them
| to the specific bits then that is a bug.

No. What I was trying to fix was the interaction between
se_access_check and user rights (which I have now done).
Sorry. I should have sent more detail in the original mail.

| so the name STANDARD_GENERIC_WRITE is quite meaningless.

It was a typo I realized as soon as I sent the mail. Which
is why I sent you a follow up mail off list (not to create more
noise).

(which I now see that you got )

| > obviously I meant STANDARD_RIGHTS_WRITE_ACCESS (not generic).
|
| The term STANDARD_RIGHTS_WRITE_ACCESS also makes no sense. The
| "standard" bits don't include a "write access" bit at all.
| They do include a WRITE_DACL bit and a WRITE_OWNER bit,
| but those have nothing to do with file write access.
|
| The closest match I can think of is SEC_RIGHTS_FILE_WRITE,
| which is the set of bits that the SEC_GENERIC_WRITE bit
| maps to for files and directories.
|
| I know this might seem like nit-picking, but I think
| that one of the reasons the Samba3 access control code
| is so hard to follow is the mixing up of these terms
| in confusing ways.

The issue in the the access mask requested by the client
in the _samr_create_user() call. The standard bits 0x000d0000
are set which implies

(STD_RIGHT_WRITE_OWNER_ACCESS | \
STD_RIGHT_WRITE_DAC_ACCESS | \
STD_RIGHT_DELETE_ACCESS)

And while the name is somewhat misleading, the write access
mask for user objects is defined as


#define GENERIC_RIGHTS_USER_WRITE \
(STANDARD_RIGHTS_WRITE_ACCESS | \
SA_RIGHT_USER_CHANGE_PASSWORD | \
SA_RIGHT_USER_SET_LOC_COM | \
SA_RIGHT_USER_SET_ATTRIBUTES | \
SA_RIGHT_USER_SET_PASSWORD | \
SA_RIGHT_USER_CHANGE_GROUP_MEM) /* 0x000204e4 */


The problem was really the use of

#define STANDARD_RIGHTS_WRITE_ACCESS STD_RIGHT_READ_CONTROL_ACCESS

What I was trying to determine was if the define for
STANDARD_RIGHTS_WRITE_ACCESS was derived from actual work or
just complete fiction. After talking to jeremy and yourself,
it appears to be fiction or at least an incomplete placeholder.

It was used in three other places: rpc_lsa.h, rpc_spoolss.h
and smb.h. For now I just

s/STANDARD_RIGHTS_WRITE_ACCESS/STD_RIGHT_READ_CONTROL_ACCESS/g

in smb.h and rpc_lsa.h. I think the combination used in the
create_user() call is probably the same one for the spoolss
pipes (admin acccess always request 0x000f000c).




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB+ktpIR7qMdg1EfYRAjKIAKCg2aYsVE+wfk7fGpV+iv wQtF/A6gCeM/E1
iJApBYlDE+pIx5AKMd5ot28=
=1zOM
-----END PGP SIGNATURE-----