Mercurial > illumos > git > illumos-gate
changeset 19208:02ce2cd09749
11773 Need ways to override Domain Admins' full control
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Andrew Stormont <astormont@racktopsystems.com>
Approved by: Garrett D'Amore <garrett@damore.org>
author | Matt Barden <matt.barden@nexenta.com> |
---|---|
date | Tue, 19 Mar 2019 14:59:16 -0400 |
parents | 7098469e13b5 |
children | 8e16267bae6b |
files | usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c usr/src/cmd/smbsrv/smbadm/smbadm.c usr/src/lib/smbsrv/libsmb/common/smb_privilege.c usr/src/man/man1m/smbadm.1m usr/src/uts/common/fs/smbsrv/smb_authenticate.c usr/src/uts/common/fs/smbsrv/smb_cred.c usr/src/uts/common/fs/smbsrv/smb_user.c usr/src/uts/common/smbsrv/smb_ktypes.h usr/src/uts/common/smbsrv/smb_privilege.h |
diffstat | 9 files changed, 122 insertions(+), 40 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c Mon Apr 22 17:08:29 2019 -0400 +++ b/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c Tue Mar 19 14:59:16 2019 -0400 @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ #include <mdb/mdb_modapi.h> @@ -1409,6 +1409,12 @@ { "CHANGE_NOTIFY", SMB_USER_PRIV_CHANGE_NOTIFY, SMB_USER_PRIV_CHANGE_NOTIFY }, + { "READ_FILE", + SMB_USER_PRIV_READ_FILE, + SMB_USER_PRIV_READ_FILE }, + { "WRITE_FILE", + SMB_USER_PRIV_WRITE_FILE, + SMB_USER_PRIV_WRITE_FILE }, { NULL, 0, 0 } };
--- a/usr/src/cmd/smbsrv/smbadm/smbadm.c Mon Apr 22 17:08:29 2019 -0400 +++ b/usr/src/cmd/smbsrv/smbadm/smbadm.c Tue Mar 19 14:59:16 2019 -0400 @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -178,6 +178,10 @@ static boolean_t smbadm_chkprop_priv(smbadm_prop_t *prop); static int smbadm_setprop_tkowner(char *gname, smbadm_prop_t *prop); static int smbadm_getprop_tkowner(char *gname, smbadm_prop_t *prop); +static int smbadm_setprop_readfile(char *gname, smbadm_prop_t *prop); +static int smbadm_getprop_readfile(char *gname, smbadm_prop_t *prop); +static int smbadm_setprop_writefile(char *gname, smbadm_prop_t *prop); +static int smbadm_getprop_writefile(char *gname, smbadm_prop_t *prop); static int smbadm_setprop_backup(char *gname, smbadm_prop_t *prop); static int smbadm_getprop_backup(char *gname, smbadm_prop_t *prop); static int smbadm_setprop_restore(char *gname, smbadm_prop_t *prop); @@ -192,6 +196,10 @@ smbadm_getprop_restore, smbadm_chkprop_priv }, {"take-ownership", "on|off", smbadm_setprop_tkowner, smbadm_getprop_tkowner, smbadm_chkprop_priv }, + {"bypass-read", "on|off", smbadm_setprop_readfile, + smbadm_getprop_readfile, smbadm_chkprop_priv }, + {"bypass-write", "on|off", smbadm_setprop_writefile, + smbadm_getprop_writefile, smbadm_chkprop_priv }, {"description", "<string>", smbadm_setprop_desc, smbadm_getprop_desc, NULL }, }; @@ -1807,6 +1815,30 @@ } static int +smbadm_setprop_readfile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_setpriv(gname, SE_READ_FILE_LUID, prop)); +} + +static int +smbadm_getprop_readfile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_getpriv(gname, SE_READ_FILE_LUID, prop)); +} + +static int +smbadm_setprop_writefile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_setpriv(gname, SE_WRITE_FILE_LUID, prop)); +} + +static int +smbadm_getprop_writefile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_getpriv(gname, SE_WRITE_FILE_LUID, prop)); +} + +static int smbadm_setprop_backup(char *gname, smbadm_prop_t *prop) { return (smbadm_group_setpriv(gname, SE_BACKUP_LUID, prop));
--- a/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c Mon Apr 22 17:08:29 2019 -0400 +++ b/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c Tue Mar 19 14:59:16 2019 -0400 @@ -21,6 +21,8 @@ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -79,7 +81,11 @@ "Modify firmware environment values", 0 }, { 23, SE_CHANGE_NOTIFY_NAME, "Bypass traverse checking", 0 }, { 24, SE_REMOTE_SHUTDOWN_NAME, - "Force shutdown from a remote system", 0 } + "Force shutdown from a remote system", 0 }, + { 25, SE_READ_FILE_NAME, + "Bypass ACL for READ access", PF_PRESENTABLE }, + { 26, SE_WRITE_FILE_NAME, + "Bypass ACL for WRITE and DELETE access", PF_PRESENTABLE }, }; /*
--- a/usr/src/man/man1m/smbadm.1m Mon Apr 22 17:08:29 2019 -0400 +++ b/usr/src/man/man1m/smbadm.1m Tue Mar 19 14:59:16 2019 -0400 @@ -16,9 +16,9 @@ .\" .\" .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.\" Copyright 2017 Nexenta Systems, Inc. +.\" Copyright 2019 Nexenta by DDN, Inc. All rights reserved. .\" -.Dd November 18, 2017 +.Dd June 6, 2019 .Dt SMBADM 1M .Os .Sh NAME @@ -252,6 +252,10 @@ .It Cm take-ownership Ns = Ns Cm on Ns | Ns Cm off Specifies whether members of the SMB local group can take ownership of file system objects. +.It Cm bypass-read Ns = Ns Cm on Ns | Ns Cm off +Specifies whether members of the SMB local group can always bypass Read access controls. +.It Cm bypass-write Ns = Ns Cm on Ns | Ns Cm off +Specifies whether members of the SMB local group can always bypass Write and Delete access controls. .El .It Xo .Cm add-member
--- a/usr/src/uts/common/fs/smbsrv/smb_authenticate.c Mon Apr 22 17:08:29 2019 -0400 +++ b/usr/src/uts/common/fs/smbsrv/smb_authenticate.c Tue Mar 19 14:59:16 2019 -0400 @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -544,6 +544,12 @@ if (smb_token_query_privilege(token, SE_CHANGE_NOTIFY_LUID)) privileges |= SMB_USER_PRIV_CHANGE_NOTIFY; + if (smb_token_query_privilege(token, SE_READ_FILE_LUID)) + privileges |= SMB_USER_PRIV_READ_FILE; + + if (smb_token_query_privilege(token, SE_WRITE_FILE_LUID)) + privileges |= SMB_USER_PRIV_WRITE_FILE; + return (privileges); }
--- a/usr/src/uts/common/fs/smbsrv/smb_cred.c Mon Apr 22 17:08:29 2019 -0400 +++ b/usr/src/uts/common/fs/smbsrv/smb_cred.c Tue Mar 19 14:59:16 2019 -0400 @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -97,35 +97,6 @@ ksidlist = smb_cred_set_sidlist(&token->tkn_win_grps); crsetsidlist(cr, ksidlist); - /* - * In the AD world, "take ownership privilege" is very much - * like having Unix "root" privileges. It's normally given - * to members of the "Administrators" group, which normally - * includes the the local Administrator (like root) and when - * joined to a domain, "Domain Admins". - */ - if (smb_token_query_privilege(token, SE_TAKE_OWNERSHIP_LUID)) { - (void) crsetpriv(cr, - PRIV_FILE_CHOWN, - PRIV_FILE_DAC_READ, - PRIV_FILE_DAC_SEARCH, - PRIV_FILE_DAC_WRITE, - PRIV_FILE_OWNER, - NULL); - } - - /* - * See smb.4 bypass_traverse_checking - * - * For historical reasons, the Windows privilege is named - * SeChangeNotifyPrivilege, though the description is - * "Bypass traverse checking". - */ - if (smb_token_query_privilege(token, SE_CHANGE_NOTIFY_LUID)) { - (void) crsetpriv(cr, PRIV_FILE_DAC_SEARCH, NULL); - } - - return (cr); }
--- a/usr/src/uts/common/fs/smbsrv/smb_user.c Mon Apr 22 17:08:29 2019 -0400 +++ b/usr/src/uts/common/fs/smbsrv/smb_user.c Tue Mar 19 14:59:16 2019 -0400 @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. * Copyright (c) 2016 by Delphix. All rights reserved. */ @@ -755,6 +755,57 @@ ASSERT(cr); crhold(cr); + /* + * See smb.4 bypass_traverse_checking + * + * For historical reasons, the Windows privilege is named + * SeChangeNotifyPrivilege, though the description is + * "Bypass traverse checking". + */ + if ((privileges & SMB_USER_PRIV_CHANGE_NOTIFY) != 0) { + (void) crsetpriv(cr, PRIV_FILE_DAC_SEARCH, NULL); + } + + /* + * Window's "take ownership privilege" is similar to our + * PRIV_FILE_CHOWN privilege. It's normally given to members of the + * "Administrators" group, which normally includes the the local + * Administrator (like root) and when joined to a domain, + * "Domain Admins". + */ + if ((privileges & SMB_USER_PRIV_TAKE_OWNERSHIP) != 0) { + (void) crsetpriv(cr, + PRIV_FILE_CHOWN, + PRIV_FILE_CHOWN_SELF, + NULL); + } + + /* + * Bypass ACL for READ accesses. + */ + if ((privileges & SMB_USER_PRIV_READ_FILE) != 0) { + (void) crsetpriv(cr, PRIV_FILE_DAC_READ, NULL); + } + + /* + * Bypass ACL for WRITE accesses. + * Include FILE_OWNER, as it covers WRITE_ACL and DELETE. + */ + if ((privileges & SMB_USER_PRIV_WRITE_FILE) != 0) { + (void) crsetpriv(cr, + PRIV_FILE_DAC_WRITE, + PRIV_FILE_OWNER, + NULL); + } + + /* + * These privileges are used only when a file is opened with + * 'backup intent'. These allow users to bypass certain access + * controls. Administrators typically have these privileges, + * and they are used during recursive take-ownership operations. + * Some commonly used tools use 'backup intent' to administrate + * files that do not grant explicit permissions to Administrators. + */ if (privileges & (SMB_USER_PRIV_BACKUP | SMB_USER_PRIV_RESTORE)) privcred = crdup(cr);
--- a/usr/src/uts/common/smbsrv/smb_ktypes.h Mon Apr 22 17:08:29 2019 -0400 +++ b/usr/src/uts/common/smbsrv/smb_ktypes.h Tue Mar 19 14:59:16 2019 -0400 @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -1012,6 +1012,8 @@ #define SMB_USER_PRIV_BACKUP (1<<17) /* SE_BACKUP_LUID */ #define SMB_USER_PRIV_RESTORE (1<<18) /* SE_RESTORE_LUID */ #define SMB_USER_PRIV_CHANGE_NOTIFY (1<<23) /* SE_CHANGE_NOTIFY_LUID */ +#define SMB_USER_PRIV_READ_FILE (1<<25) /* SE_READ_FILE_LUID */ +#define SMB_USER_PRIV_WRITE_FILE (1<<26) /* SE_WRITE_FILE_LUID */ /* * See the long "User State Machine" comment in smb_user.c
--- a/usr/src/uts/common/smbsrv/smb_privilege.h Mon Apr 22 17:08:29 2019 -0400 +++ b/usr/src/uts/common/smbsrv/smb_privilege.h Tue Mar 19 14:59:16 2019 -0400 @@ -22,7 +22,7 @@ * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ #ifndef _SMB_PRIVILEGE_H @@ -97,6 +97,8 @@ #define SE_SYSTEM_ENVIRONMENT_NAME "SeSystemEnvironmentPrivilege" #define SE_CHANGE_NOTIFY_NAME "SeChangeNotifyPrivilege" #define SE_REMOTE_SHUTDOWN_NAME "SeRemoteShutdownPrivilege" +#define SE_READ_FILE_NAME "BypassAclRead" +#define SE_WRITE_FILE_NAME "BypassAclWrite" #define SE_MIN_LUID 2 #define SE_CREATE_TOKEN_LUID 2 @@ -122,7 +124,9 @@ #define SE_SYSTEM_ENVIRONMENT_LUID 22 #define SE_CHANGE_NOTIFY_LUID 23 #define SE_REMOTE_SHUTDOWN_LUID 24 -#define SE_MAX_LUID 24 +#define SE_READ_FILE_LUID 25 +#define SE_WRITE_FILE_LUID 26 +#define SE_MAX_LUID 26 /* * Privilege attributes