Mercurial > illumos > git > illumos-gate

changeset 19208:02ce2cd09749

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
11773 Need ways to override Domain Admins' full control Reviewed by: Gordon Ross <gordon.ross@nexenta.com> Reviewed by: Evan Layton <evan.layton@nexenta.com> Reviewed by: Andrew Stormont <astormont@racktopsystems.com> Approved by: Garrett D'Amore <garrett@damore.org>
author Matt Barden <matt.barden@nexenta.com>
date Tue, 19 Mar 2019 14:59:16 -0400
parents 7098469e13b5
children 8e16267bae6b
files usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c usr/src/cmd/smbsrv/smbadm/smbadm.c usr/src/lib/smbsrv/libsmb/common/smb_privilege.c usr/src/man/man1m/smbadm.1m usr/src/uts/common/fs/smbsrv/smb_authenticate.c usr/src/uts/common/fs/smbsrv/smb_cred.c usr/src/uts/common/fs/smbsrv/smb_user.c usr/src/uts/common/smbsrv/smb_ktypes.h usr/src/uts/common/smbsrv/smb_privilege.h
diffstat 9 files changed, 122 insertions(+), 40 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c	Mon Apr 22 17:08:29 2019 -0400
+++ b/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c	Tue Mar 19 14:59:16 2019 -0400
@@ -21,7 +21,7 @@
 
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 #include <mdb/mdb_modapi.h>
@@ -1409,6 +1409,12 @@
 	{ "CHANGE_NOTIFY",
 	    SMB_USER_PRIV_CHANGE_NOTIFY,
 	    SMB_USER_PRIV_CHANGE_NOTIFY },
+	{ "READ_FILE",
+	    SMB_USER_PRIV_READ_FILE,
+	    SMB_USER_PRIV_READ_FILE },
+	{ "WRITE_FILE",
+	    SMB_USER_PRIV_WRITE_FILE,
+	    SMB_USER_PRIV_WRITE_FILE },
 	{ NULL, 0, 0 }
 };
 
--- a/usr/src/cmd/smbsrv/smbadm/smbadm.c	Mon Apr 22 17:08:29 2019 -0400
+++ b/usr/src/cmd/smbsrv/smbadm/smbadm.c	Tue Mar 19 14:59:16 2019 -0400
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 /*
@@ -178,6 +178,10 @@
 static boolean_t smbadm_chkprop_priv(smbadm_prop_t *prop);
 static int smbadm_setprop_tkowner(char *gname, smbadm_prop_t *prop);
 static int smbadm_getprop_tkowner(char *gname, smbadm_prop_t *prop);
+static int smbadm_setprop_readfile(char *gname, smbadm_prop_t *prop);
+static int smbadm_getprop_readfile(char *gname, smbadm_prop_t *prop);
+static int smbadm_setprop_writefile(char *gname, smbadm_prop_t *prop);
+static int smbadm_getprop_writefile(char *gname, smbadm_prop_t *prop);
 static int smbadm_setprop_backup(char *gname, smbadm_prop_t *prop);
 static int smbadm_getprop_backup(char *gname, smbadm_prop_t *prop);
 static int smbadm_setprop_restore(char *gname, smbadm_prop_t *prop);
@@ -192,6 +196,10 @@
 	smbadm_getprop_restore,	smbadm_chkprop_priv	},
 	{"take-ownership", "on|off",	smbadm_setprop_tkowner,
 	smbadm_getprop_tkowner,	smbadm_chkprop_priv	},
+	{"bypass-read", "on|off",	smbadm_setprop_readfile,
+	smbadm_getprop_readfile,	smbadm_chkprop_priv	},
+	{"bypass-write", "on|off",	smbadm_setprop_writefile,
+	smbadm_getprop_writefile,	smbadm_chkprop_priv	},
 	{"description",	"<string>",	smbadm_setprop_desc,
 	smbadm_getprop_desc,	NULL			},
 };
@@ -1807,6 +1815,30 @@
 }
 
 static int
+smbadm_setprop_readfile(char *gname, smbadm_prop_t *prop)
+{
+	return (smbadm_group_setpriv(gname, SE_READ_FILE_LUID, prop));
+}
+
+static int
+smbadm_getprop_readfile(char *gname, smbadm_prop_t *prop)
+{
+	return (smbadm_group_getpriv(gname, SE_READ_FILE_LUID, prop));
+}
+
+static int
+smbadm_setprop_writefile(char *gname, smbadm_prop_t *prop)
+{
+	return (smbadm_group_setpriv(gname, SE_WRITE_FILE_LUID, prop));
+}
+
+static int
+smbadm_getprop_writefile(char *gname, smbadm_prop_t *prop)
+{
+	return (smbadm_group_getpriv(gname, SE_WRITE_FILE_LUID, prop));
+}
+
+static int
 smbadm_setprop_backup(char *gname, smbadm_prop_t *prop)
 {
 	return (smbadm_group_setpriv(gname, SE_BACKUP_LUID, prop));
--- a/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c	Mon Apr 22 17:08:29 2019 -0400
+++ b/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c	Tue Mar 19 14:59:16 2019 -0400
@@ -21,6 +21,8 @@
 /*
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 /*
@@ -79,7 +81,11 @@
 	    "Modify firmware environment values", 0 },
 	{ 23, SE_CHANGE_NOTIFY_NAME, "Bypass traverse checking", 0 },
 	{ 24, SE_REMOTE_SHUTDOWN_NAME,
-	    "Force shutdown from a remote system", 0 }
+	    "Force shutdown from a remote system", 0 },
+	{ 25, SE_READ_FILE_NAME,
+	    "Bypass ACL for READ access", PF_PRESENTABLE },
+	{ 26, SE_WRITE_FILE_NAME,
+	    "Bypass ACL for WRITE and DELETE access", PF_PRESENTABLE },
 };
 
 /*
--- a/usr/src/man/man1m/smbadm.1m	Mon Apr 22 17:08:29 2019 -0400
+++ b/usr/src/man/man1m/smbadm.1m	Tue Mar 19 14:59:16 2019 -0400
@@ -16,9 +16,9 @@
 .\"
 .\"
 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
-.\" Copyright 2017 Nexenta Systems, Inc.
+.\" Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
 .\"
-.Dd November 18, 2017
+.Dd June 6, 2019
 .Dt SMBADM 1M
 .Os
 .Sh NAME
@@ -252,6 +252,10 @@
 .It Cm take-ownership Ns = Ns Cm on Ns | Ns Cm off
 Specifies whether members of the SMB local group can take ownership of file
 system objects.
+.It Cm bypass-read Ns = Ns Cm on Ns | Ns Cm off
+Specifies whether members of the SMB local group can always bypass Read access controls.
+.It Cm bypass-write Ns = Ns Cm on Ns | Ns Cm off
+Specifies whether members of the SMB local group can always bypass Write and Delete access controls.
 .El
 .It Xo
 .Cm add-member
--- a/usr/src/uts/common/fs/smbsrv/smb_authenticate.c	Mon Apr 22 17:08:29 2019 -0400
+++ b/usr/src/uts/common/fs/smbsrv/smb_authenticate.c	Tue Mar 19 14:59:16 2019 -0400
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 /*
@@ -544,6 +544,12 @@
 	if (smb_token_query_privilege(token, SE_CHANGE_NOTIFY_LUID))
 		privileges |= SMB_USER_PRIV_CHANGE_NOTIFY;
 
+	if (smb_token_query_privilege(token, SE_READ_FILE_LUID))
+		privileges |= SMB_USER_PRIV_READ_FILE;
+
+	if (smb_token_query_privilege(token, SE_WRITE_FILE_LUID))
+		privileges |= SMB_USER_PRIV_WRITE_FILE;
+
 	return (privileges);
 }
 
--- a/usr/src/uts/common/fs/smbsrv/smb_cred.c	Mon Apr 22 17:08:29 2019 -0400
+++ b/usr/src/uts/common/fs/smbsrv/smb_cred.c	Tue Mar 19 14:59:16 2019 -0400
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 /*
@@ -97,35 +97,6 @@
 	ksidlist = smb_cred_set_sidlist(&token->tkn_win_grps);
 	crsetsidlist(cr, ksidlist);
 
-	/*
-	 * In the AD world, "take ownership privilege" is very much
-	 * like having Unix "root" privileges.  It's normally given
-	 * to members of the "Administrators" group, which normally
-	 * includes the the local Administrator (like root) and when
-	 * joined to a domain, "Domain Admins".
-	 */
-	if (smb_token_query_privilege(token, SE_TAKE_OWNERSHIP_LUID)) {
-		(void) crsetpriv(cr,
-		    PRIV_FILE_CHOWN,
-		    PRIV_FILE_DAC_READ,
-		    PRIV_FILE_DAC_SEARCH,
-		    PRIV_FILE_DAC_WRITE,
-		    PRIV_FILE_OWNER,
-		    NULL);
-	}
-
-	/*
-	 * See smb.4 bypass_traverse_checking
-	 *
-	 * For historical reasons, the Windows privilege is named
-	 * SeChangeNotifyPrivilege, though the description is
-	 * "Bypass traverse checking".
-	 */
-	if (smb_token_query_privilege(token, SE_CHANGE_NOTIFY_LUID)) {
-		(void) crsetpriv(cr, PRIV_FILE_DAC_SEARCH, NULL);
-	}
-
-
 	return (cr);
 }
 
--- a/usr/src/uts/common/fs/smbsrv/smb_user.c	Mon Apr 22 17:08:29 2019 -0400
+++ b/usr/src/uts/common/fs/smbsrv/smb_user.c	Tue Mar 19 14:59:16 2019 -0400
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  * Copyright (c) 2016 by Delphix. All rights reserved.
  */
 
@@ -755,6 +755,57 @@
 	ASSERT(cr);
 	crhold(cr);
 
+	/*
+	 * See smb.4 bypass_traverse_checking
+	 *
+	 * For historical reasons, the Windows privilege is named
+	 * SeChangeNotifyPrivilege, though the description is
+	 * "Bypass traverse checking".
+	 */
+	if ((privileges & SMB_USER_PRIV_CHANGE_NOTIFY) != 0) {
+		(void) crsetpriv(cr, PRIV_FILE_DAC_SEARCH, NULL);
+	}
+
+	/*
+	 * Window's "take ownership privilege" is similar to our
+	 * PRIV_FILE_CHOWN privilege. It's normally given to members of the
+	 * "Administrators" group, which normally includes the the local
+	 * Administrator (like root) and when joined to a domain,
+	 * "Domain Admins".
+	 */
+	if ((privileges & SMB_USER_PRIV_TAKE_OWNERSHIP) != 0) {
+		(void) crsetpriv(cr,
+		    PRIV_FILE_CHOWN,
+		    PRIV_FILE_CHOWN_SELF,
+		    NULL);
+	}
+
+	/*
+	 * Bypass ACL for READ accesses.
+	 */
+	if ((privileges & SMB_USER_PRIV_READ_FILE) != 0) {
+		(void) crsetpriv(cr, PRIV_FILE_DAC_READ, NULL);
+	}
+
+	/*
+	 * Bypass ACL for WRITE accesses.
+	 * Include FILE_OWNER, as it covers WRITE_ACL and DELETE.
+	 */
+	if ((privileges & SMB_USER_PRIV_WRITE_FILE) != 0) {
+		(void) crsetpriv(cr,
+		    PRIV_FILE_DAC_WRITE,
+		    PRIV_FILE_OWNER,
+		    NULL);
+	}
+
+	/*
+	 * These privileges are used only when a file is opened with
+	 * 'backup intent'. These allow users to bypass certain access
+	 * controls. Administrators typically have these privileges,
+	 * and they are used during recursive take-ownership operations.
+	 * Some commonly used tools use 'backup intent' to administrate
+	 * files that do not grant explicit permissions to Administrators.
+	 */
 	if (privileges & (SMB_USER_PRIV_BACKUP | SMB_USER_PRIV_RESTORE))
 		privcred = crdup(cr);
 
--- a/usr/src/uts/common/smbsrv/smb_ktypes.h	Mon Apr 22 17:08:29 2019 -0400
+++ b/usr/src/uts/common/smbsrv/smb_ktypes.h	Tue Mar 19 14:59:16 2019 -0400
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 /*
@@ -1012,6 +1012,8 @@
 #define	SMB_USER_PRIV_BACKUP		(1<<17)	/* SE_BACKUP_LUID */
 #define	SMB_USER_PRIV_RESTORE		(1<<18)	/* SE_RESTORE_LUID */
 #define	SMB_USER_PRIV_CHANGE_NOTIFY	(1<<23)	/* SE_CHANGE_NOTIFY_LUID */
+#define	SMB_USER_PRIV_READ_FILE		(1<<25)	/* SE_READ_FILE_LUID */
+#define	SMB_USER_PRIV_WRITE_FILE	(1<<26)	/* SE_WRITE_FILE_LUID */
 
 /*
  * See the long "User State Machine" comment in smb_user.c
--- a/usr/src/uts/common/smbsrv/smb_privilege.h	Mon Apr 22 17:08:29 2019 -0400
+++ b/usr/src/uts/common/smbsrv/smb_privilege.h	Tue Mar 19 14:59:16 2019 -0400
@@ -22,7 +22,7 @@
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
- * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 #ifndef _SMB_PRIVILEGE_H
@@ -97,6 +97,8 @@
 #define	SE_SYSTEM_ENVIRONMENT_NAME	"SeSystemEnvironmentPrivilege"
 #define	SE_CHANGE_NOTIFY_NAME		"SeChangeNotifyPrivilege"
 #define	SE_REMOTE_SHUTDOWN_NAME		"SeRemoteShutdownPrivilege"
+#define	SE_READ_FILE_NAME		"BypassAclRead"
+#define	SE_WRITE_FILE_NAME		"BypassAclWrite"
 
 #define	SE_MIN_LUID			2
 #define	SE_CREATE_TOKEN_LUID		2
@@ -122,7 +124,9 @@
 #define	SE_SYSTEM_ENVIRONMENT_LUID	22
 #define	SE_CHANGE_NOTIFY_LUID		23
 #define	SE_REMOTE_SHUTDOWN_LUID		24
-#define	SE_MAX_LUID			24
+#define	SE_READ_FILE_LUID		25
+#define	SE_WRITE_FILE_LUID		26
+#define	SE_MAX_LUID			26
 
 /*
  * Privilege attributes