samba - Jun 2024 - SeDiskOperatorPrivilege_Privilege

On Tue, Jun 11, 2024 at 05:20:53PM +0100, Rowland Penny
wrote:
>>
>> So it looks like it's still checked if you're trying to modify
>> share definitions via RPC (at least in the old S3 rpc server).
>>
>> Jeremy.
>>
>
>I am not saying it isn't there, I am saying (and others have found the
>same) that if you are setting share permissions from Windows, then
>'SeDiskOperatorPrivilege' doesn't seem to do anything, what does
count
>is that the user doing the change has ownership of the share or is a
>member of the shares group, either must have full control. To put it
>another way, you can set permissions from Windows if no user or group
>has the 'SeDiskOperatorPrivilege' privilege.
Share permissions don't seem to be set via NetShareSetInfo,
and also the S4 RPC server doesn't check SeDiskOperatorPrivilege,
only the S3 RPC server.

On Tue, 11 Jun 2024 09:26:29 -0700
Jeremy Allison via samba <samba at lists.samba.org> wrote:
> On Tue, Jun 11, 2024 at 05:20:53PM +0100, Rowland Penny wrote:
> >>
> >> So it looks like it's still checked if you're trying to
modify
> >> share definitions via RPC (at least in the old S3 rpc server).
> >>
> >> Jeremy.
> >>
> >
> >I am not saying it isn't there, I am saying (and others have found
> >the same) that if you are setting share permissions from Windows,
> >then 'SeDiskOperatorPrivilege' doesn't seem to do anything,
what
> >does count is that the user doing the change has ownership of the
> >share or is a member of the shares group, either must have full
> >control. To put it another way, you can set permissions from Windows
> >if no user or group has the 'SeDiskOperatorPrivilege'
privilege.
> 
> Share permissions don't seem to be set via NetShareSetInfo,
> and also the S4 RPC server doesn't check SeDiskOperatorPrivilege,
> only the S3 RPC server.
> 
Oh Hum, we have only been saying for over 10 years, that you must set
the 'SeDiskOperatorPrivilege' if setting share permissions from Windows.

I will re-write the wikipage.

Rowland