5902 Unable to take ownership, view permissions, or delete files...

Review Request #45 — Created May 2, 2015 and submitted May 8, 2015, 3:52 p.m.

Information
Owner:	gwr
Repository:	illumos-gate
Branch:
Bugs:	5902
Depends On:
Reviewers
Groups:	general
People:

Description

Server credentials were missing some Unix privileges that should be in place when the Windows privileges include "take ownwership"

Internal reviewers:
Alek Pinchuk

Testing Done

Verified that right-click ... "take ownership" works (if you're an Administrator - i.e. "root"-like, for those not familiar with the AD security model)
Field tested for quite some time.

Issues

0
0
1
0
All Issues: 1

Description	From	Last Updated
Wow, that's awfully heavy handed, isn't it? (I must admit, I have no idea what this windows priv. ultimately means, ...	richlowe	May 8, 2015, 2:21 p.m.

Description:

		Server credentials were missing some Unix privileges that should be in place when the Windows privileges include "take ownwership"
	+
	+	Internal reviewers:
	+	Alek Pinchuk

usr/src/uts/common/fs/smbsrv/smb_session_setup_andx.c (Diff revision 1)

Show all issues

Wow, that's awfully heavy handed, isn't it?

(I must admit, I have no idea what this windows priv. ultimately means, I'm just a bit freaked out by the additions)

gwr May 5, 2015, 1:37 a.m.

"take ownership privilege" is (by normal policies) given to members of the "Administrators" group. That normally includes the local (to the machine) Administrator account, and members of "Domain Admins". These principals in the Active Directory world are as close as you get to having "root" privileges in Unix. That's why these privileges look scary. We do in fact want to give (most of) what root gets here.

richlowe May 5, 2015, 4:23 p.m.

Ok. I guess that's unavoidable, but keep in mind how much potential for abuse this provides in the face of other bugs.

danmcd May 8, 2015, 2:05 p.m.

Your text above there, Gordon -- that's what I want in the code.

gwr May 8, 2015, 2:21 p.m.

Adding this at line: 443 (before that if block) look OK?
/
* In the AD world, "take ownership privilege" is very much
* like having Unix "root" privileges. It's normally given
* to members of the "Administrators" group, which normally
* includes the the local Administrator (like root) and when
* joined to a domain, "Domain Admins".
/

Testing Done:

~		Verified that right-click ... "take ownership" works.
	~	Verified that right-click ... "take ownership" works (if you're an Administrator - i.e. "root"-like, for those not familiar with the AD security model)
		Field tested for quite some time.