5902 Unable to take ownership, view permissions, or delete files...

Review Request #45 — Created May 2, 2015 and submitted

gwr
illumos-gate
5902
general

Server credentials were missing some Unix privileges that should be in place when the Windows privileges include "take ownwership"

Internal reviewers:
Alek Pinchuk

Verified that right-click ... "take ownership" works (if you're an Administrator - i.e. "root"-like, for those not familiar with the AD security model)
Field tested for quite some time.

  • 0
  • 0
  • 1
  • 0
  • 1
Description From Last Updated
gwr
richlowe
  1. 
      
  2. Wow, that's awfully heavy handed, isn't it?

    (I must admit, I have no idea what this windows priv. ultimately means, I'm just a bit freaked out by the additions)

    1. "take ownership privilege" is (by normal policies) given to members of the "Administrators" group. That normally includes the local (to the machine) Administrator account, and members of "Domain Admins". These principals in the Active Directory world are as close as you get to having "root" privileges in Unix. That's why these privileges look scary. We do in fact want to give (most of) what root gets here.

    2. Ok. I guess that's unavoidable, but keep in mind how much potential for abuse this provides in the face of other bugs.

    3. Your text above there, Gordon -- that's what I want in the code.

    4. Adding this at line: 443 (before that if block) look OK?
      /
      * In the AD world, "take ownership privilege" is very much
      * like having Unix "root" privileges. It's normally given
      * to members of the "Administrators" group, which normally
      * includes the the local Administrator (like root) and when
      * joined to a domain, "Domain Admins".
      /

  3. 
      
gwr
richlowe
  1. Ship It!
  2. 
      
danmcd
  1. Ship It!
  2. 
      
gwr
gwr
Review request changed

Status: Closed (submitted)

Loading...