3.3.5.21.3 Handling SMB2_0_INFO_SECURITY
The following section assumes knowledge about security concepts as described in [MS-WPO] section 9 and specified in [MS-DTYP].<418>
The server MUST ignore any flag value in the AdditionalInformation field that is not specified in section 2.2.39.
If SACL_SECURITY_INFORMATION is set in the AdditionalInformation field of the request, and Open.GrantedAccess does not include ACCESS_SYSTEM_SECURITY, the server MUST fail the request with STATUS_ACCESS_DENIED.
If DACL_SECURITY_INFORMATION is set in the AdditionalInformation field of the request, and Open.GrantedAccess does not include WRITE_DAC, the server MUST fail the request with STATUS_ACCESS_DENIED.
If the object store supports security, either LABEL_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION, or OWNER_SECURITY_INFORMATION is set in the AdditionalInformation field of the request, and Open.GrantedAccess does not include WRITE_OWNER, the server MUST fail the request with STATUS_ACCESS_DENIED.
If ATTRIBUTE_SECURITY_INFORMATION is set in the AdditionalInformation field of the request, and Open.GrantedAccess does not include WRITE_DAC, the server SHOULD<419> fail the request with STATUS_ACCESS_DENIED.
If SCOPE_SECURITY_INFORMATION is set in the AdditionalInformation field of the request, and Open.GrantedAccess does not include ACCESS_SYSTEM_SECURITY, the server SHOULD<420> fail the request with STATUS_ACCESS_DENIED.
If BACKUP_SECURITY_INFORMATION is set in the AdditionalInformation field of the request, and Open.GrantedAccess does not include WRITE_DAC, WRITE_OWNER and ACCESS_SYSTEM_SECURITY the server SHOULD<421> fail the request with STATUS_ACCESS_DENIED.
The server MUST call into the underlying object store to set the security on the object.<422>
The fields being applied in the provided security descriptor are denoted by the flags given in the AdditionalInformation field of the request.
If the underlying object store returns an error, the server MUST fail the request with the error code received.
Otherwise, the server MUST initialize an SMB2 SET_INFO Response following the syntax given in section 2.2.40.
The response MUST then be sent to the client.