usr/src/uts/common/fs/smbsrv/smb_session_setup_andx.c (Diff revision 1)

Show all issues

Wow, that's awfully heavy handed, isn't it?
(I must admit, I have no idea what this windows priv. ultimately means, I'm just a bit freaked out by the additions)

1. 

   Gordon Ross May 4, 2015, 6:37 p.m.

   "take ownership privilege" is (by normal policies) given to members of the "Administrators" group.  That normally includes the local (to the machine) Administrator account, and members of "Domain Admins".  These principals in the Active Directory world are as close as you get to having "root" privileges in Unix.  That's why these privileges look scary.  We do in fact want to give (most of) what root gets here.

2. 

   Rich Lowe May 5, 2015, 9:23 a.m.

   Ok.  I guess that's unavoidable, but keep in mind how much potential for abuse this provides in the face of other bugs.

3. 

   Dan McDonald May 8, 2015, 7:05 a.m.

   Your text above there, Gordon -- that's what I want in the code.

4. 

   Gordon Ross May 8, 2015, 7:21 a.m.

   Adding this at line: 443 (before that if block)  look OK?
   
       /
   
        * In the AD world, "take ownership privilege" is very much
   
        * like having Unix "root" privileges.  It's normally given
   
        * to members of the "Administrators" group, which normally
   
        * includes the the local Administrator (like root) and when
   
        * joined to a domain, "Domain Admins".
   
   /

Ship It!

Ship It!