CIFS 共享上的 NTFS 权限不会对特定用户生效

最后更新
另存为PDF

Views:: 119

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas<a>CIFS</a><a>NTFS</a><a>ACL</a><a>1079649</a><a>BR16343</a><a>SeTcbPrivilege</a><a>Superuser</a>

Last Updated:

适用场景

ONTAP 9.

问题描述

即使ACL不允许访问、也能够访问CIFS共享的用户
用户具有SeTcb特权

示例：

::> set diag ::*> diag secd authentication show-creds -node cdot-vsim1-01 -vserver svm -win-name test\user1 UNIX UID: pcuser <> Windows User: TEST\user1 (Windows Domain User) GID: pcuser Supplementary GIDs (partial): pcuser Primary Group SID: TEST\Domain Users (Windows Domain group) Windows Membership: TEST\Domain Users (Windows Domain group) Service asserted identity (Windows Well known group) BUILTIN\Users (Windows Alias) User is also a member of Everyone, Authenticated Users, and Network Users Privileges (0x2088): SeTcbPrivilege

::> cifs users-and-groups privilege show Vserver User or Group Name Privileges -------------- ---------------------------- ------------------- svm DEMO\backdoor SeTcbPrivilege

共享权限也会显示此用户无访问权限

::*> file-directory show -vserver svm -path /vol1/ (vserver security file-directory show) Vserver: svm File Path: /vol1/ File Inode Number: 64 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x9504 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-TEST\Domain Admins-0x1f01ff-OI|CI

注意： 突出显示的行表示仅允许域管理员访问

vserver security trace 相关用户的输出

"Access is allowed because the operation is trusted and no security is configured while opening existing file or directory. Access is granted for: <permissions>".