CIFS 共有の NTFS アクセス許可が特定のユーザーに有効にならない
- Views:
- 831
- Visibility:
- Public
- Votes:
- 0
- Category:
- ontap-9
- Specialty:
- nas<a>CIFS</a><a>NTFS</a><a>ACL</a><a>1079649</a><a>BR16343</a><a>SeTcbPrivilege</a><a>Superuser</a>
- Last Updated:
環境
ONTAP 9
問題
- ACLでアクセスが許可されていないにもかかわらず、CIFS共有にアクセスできるユーザ
- ユーザにSeTcbPrivilege 権限があります
例:
::> set diag
::*> diag secd authentication show-creds -node cdot-vsim1-01 -vserver svm -win-name
test\user1
UNIX UID: pcuser <> Windows User: TEST\user1 (Windows Domain User)
GID: pcuser
Supplementary GIDs (partial):
pcuser
Primary Group SID: TEST\Domain Users (Windows Domain group)
Windows Membership:
TEST\Domain Users (Windows Domain group)
Service asserted identity (Windows Well known group)
BUILTIN\Users (Windows Alias)
User is also a member of Everyone, Authenticated Users, and Network Users
Privileges (0x2088):
SeTcbPrivilege
::> cifs users-and-groups privilege show
Vserver User or Group Name Privileges
-------------- ---------------------------- -------------------
svm DEMO\backdoor SeTcbPrivilege
- 共有に対する権限には、このユーザに対するアクセスも表示されません
::*> file-directory show -vserver svm -path /vol1/
(vserver security file-directory show)
Vserver: svm
File Path: /vol1/
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x9504
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL - ACEs
ALLOW-TEST\Domain Admins-0x1f01ff-OI|CI
注: 強調表示された行は、ドメイン管理者のみがアクセスを許可されることを示します。
-
vserver
security trace
該当するユーザーの出力"Access is allowed because the operation is trusted and no security is configured while opening existing file or directory. Access is granted for: <permissions>".