From: Takashi Yano <takashi.yano@nifty.ne.jp>
To: cygwin@cygwin.com
Subject: Re: SMBFS mount's file cannot be made executable
Date: Mon, 11 Nov 2024 20:19:28 +0900 [thread overview]
Message-ID: <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp> (raw)
In-Reply-To: <ZzHizX_6FXABDPvZ@calimero.vinschen.de>
On Mon, 11 Nov 2024 11:56:13 +0100
Corinna Vinschen wrote:
> On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > On Fri, 8 Nov 2024 14:11:40 +0100
> > Corinna Vinschen wrote:
> > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > and for the share itself, check that
> > >
> > > read only = No
> > > vfs objects = acl_xattr
> > ^^^^^^^^^^^^^^^^^^^^^^^
> > Thanks! This makes things better.
> > At least x permissions are set to executable compiled by gcc.
> >
> > However, something is still wrong in my environment....
> > Others permission seems to be reffered in some cases.
>
> I don't understand. Please run icacls for a just created file on your
> Samba share (without the below patch) as well as Windows' `whoami /all'.
$ touch samba_test_file.txt
$ icacls samba_test_file.txt
samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
S-1-5-21-479325430-3041864944-504445739-513:(R)
Everyone:(R)
This seems reasonable to me.
For Windows 11 share, the result is
samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
NT AUTHORITY\Authenticated Users:(DENY)(S,X)
NT AUTHORITY\SYSTEM:(DENY)(S,X)
BUILTIN\Administrators:(DENY)(S,X)
BUILTIN\Users:(DENY)(S,X)
S-1-5-21-2089672436-4097686843-2104605006-513:(RX)
NT AUTHORITY\Authenticated Users:(RX,W)
NT AUTHORITY\SYSTEM:(RX,W)
BUILTIN\Administrators:(RX,W)
BUILTIN\Users:(RX)
Everyone:(R)
> > > map acl inherit = Yes
> > > store dos attributes = Yes
> > >
> > > Not sure if that helps, but I don't have any other idea. I'm running
> > > Samba in an AD environment and "it works for me" :-P
> >
> > I looked into this probelm and found the NtAccessCheck() fails
> > for my samba environment.
> >
> > It seems that next patch solves this.
> >
> > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> > index d5e39d281..c519af6e0 100644
> > --- a/winsup/cygwin/sec/base.cc
> > +++ b/winsup/cygwin/sec/base.cc
> > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> > ace->Header.AceFlags))
> > return;
> > }
> > + /* Samba without AD seems to need this. */
> > + add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> > + well_known_authenticated_users_sid, acl_len, 0);
> > acl->AclSize = acl_len;
> >
> > RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> >
> > What do you think?
>
> Giving all authenticated users full permissions to all your files?
> Unconditionally? That sounds like opening a security hole wide open.
Does this really mean such thing? Windows 11 share reports here,
access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?
--
Takashi Yano <takashi.yano@nifty.ne.jp>
WARNING: multiple messages have this Message-ID
From: Takashi Yano via Cygwin <cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: SMBFS mount's file cannot be made executable
Date: Mon, 11 Nov 2024 20:19:28 +0900 [thread overview]
Message-ID: <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp> (raw)
Message-ID: <20241111111928.GEIBLYN5RQSKbOTw-qz8KaPwtVomW9F7QgzlCa-J_rI@z> (raw)
In-Reply-To: <ZzHizX_6FXABDPvZ@calimero.vinschen.de>
On Mon, 11 Nov 2024 11:56:13 +0100
Corinna Vinschen wrote:
> On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > On Fri, 8 Nov 2024 14:11:40 +0100
> > Corinna Vinschen wrote:
> > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > and for the share itself, check that
> > >
> > > read only = No
> > > vfs objects = acl_xattr
> > ^^^^^^^^^^^^^^^^^^^^^^^
> > Thanks! This makes things better.
> > At least x permissions are set to executable compiled by gcc.
> >
> > However, something is still wrong in my environment....
> > Others permission seems to be reffered in some cases.
>
> I don't understand. Please run icacls for a just created file on your
> Samba share (without the below patch) as well as Windows' `whoami /all'.
$ touch samba_test_file.txt
$ icacls samba_test_file.txt
samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
S-1-5-21-479325430-3041864944-504445739-513:(R)
Everyone:(R)
This seems reasonable to me.
For Windows 11 share, the result is
samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
NT AUTHORITY\Authenticated Users:(DENY)(S,X)
NT AUTHORITY\SYSTEM:(DENY)(S,X)
BUILTIN\Administrators:(DENY)(S,X)
BUILTIN\Users:(DENY)(S,X)
S-1-5-21-2089672436-4097686843-2104605006-513:(RX)
NT AUTHORITY\Authenticated Users:(RX,W)
NT AUTHORITY\SYSTEM:(RX,W)
BUILTIN\Administrators:(RX,W)
BUILTIN\Users:(RX)
Everyone:(R)
> > > map acl inherit = Yes
> > > store dos attributes = Yes
> > >
> > > Not sure if that helps, but I don't have any other idea. I'm running
> > > Samba in an AD environment and "it works for me" :-P
> >
> > I looked into this probelm and found the NtAccessCheck() fails
> > for my samba environment.
> >
> > It seems that next patch solves this.
> >
> > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> > index d5e39d281..c519af6e0 100644
> > --- a/winsup/cygwin/sec/base.cc
> > +++ b/winsup/cygwin/sec/base.cc
> > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> > ace->Header.AceFlags))
> > return;
> > }
> > + /* Samba without AD seems to need this. */
> > + add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> > + well_known_authenticated_users_sid, acl_len, 0);
> > acl->AclSize = acl_len;
> >
> > RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> >
> > What do you think?
>
> Giving all authenticated users full permissions to all your files?
> Unconditionally? That sounds like opening a security hole wide open.
Does this really mean such thing? Windows 11 share reports here,
access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?
--
Takashi Yano <takashi.yano@nifty.ne.jp>
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2024-11-11 11:19 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 15:42 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2024-11-08 11:51 ` Takashi Yano
2024-11-08 13:11 ` Corinna Vinschen
2024-11-11 10:31 ` Takashi Yano
2024-11-11 10:31 ` Takashi Yano via Cygwin
2024-11-11 10:56 ` Corinna Vinschen
2024-11-11 10:56 ` Corinna Vinschen via Cygwin
2024-11-11 11:19 ` Takashi Yano [this message]
2024-11-11 11:19 ` Takashi Yano via Cygwin
2024-11-11 11:32 ` Takashi Yano
2024-11-11 11:32 ` Takashi Yano via Cygwin
2024-11-11 11:40 ` Takashi Yano
2024-11-11 11:40 ` Takashi Yano via Cygwin
2024-11-11 12:03 ` Corinna Vinschen
2024-11-11 12:03 ` Corinna Vinschen via Cygwin
2024-11-11 12:19 ` Takashi Yano
2024-11-11 12:19 ` Takashi Yano via Cygwin
2024-11-11 13:35 ` Corinna Vinschen
2024-11-11 13:35 ` Corinna Vinschen via Cygwin
2024-11-11 19:29 ` Takashi Yano
2024-11-11 19:29 ` Takashi Yano via Cygwin
2024-11-12 8:54 ` Takashi Yano
2024-11-12 11:56 ` Corinna Vinschen
2024-11-13 9:17 ` Takashi Yano
2024-11-13 15:10 ` Bill Stewart
2024-11-13 15:37 ` Takashi Yano
2024-11-13 15:58 ` Bill Stewart
2024-11-13 16:08 ` Takashi Yano
2024-11-15 15:21 ` Takashi Yano
2024-11-18 16:26 ` Corinna Vinschen
2024-11-19 8:58 ` Takashi Yano
2024-11-19 20:54 ` Corinna Vinschen
2024-12-07 23:13 ` Takashi Yano
2024-12-08 7:57 ` Takashi Yano
2024-12-09 11:11 ` Corinna Vinschen
2024-11-12 11:31 ` Corinna Vinschen
2024-11-11 11:51 ` Takashi Yano
2024-11-11 11:51 ` Takashi Yano via Cygwin
2024-11-11 11:59 ` Corinna Vinschen
2024-11-11 11:59 ` Corinna Vinschen via Cygwin
2024-11-11 12:25 ` Takashi Yano
2024-11-11 12:25 ` Takashi Yano via Cygwin
2024-11-11 13:00 ` Takashi Yano
2024-11-11 13:00 ` Takashi Yano via Cygwin
2024-11-11 13:18 ` Corinna Vinschen
2024-11-11 13:18 ` Corinna Vinschen via Cygwin
2024-11-08 16:07 ` [EXTERNAL] " Lavrentiev, Anton (NIH/NLM/NCBI) [C]
2024-11-11 9:04 ` Takashi Yano
2024-11-11 9:04 ` Takashi Yano via Cygwin
2019-08-12 19:05 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-13 8:28 ` KAVALAGIOS Panagiotis (EEAS-EXT)
[not found] ` <704986a5a4ab41709eb963dcd23887b1@BELBRU-EXMP101.eeas.europa.eu>
2019-08-13 12:27 ` Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-13 18:34 ` Achim Gratz
2019-08-13 18:35 ` Andrey Repin
2019-08-13 23:19 ` Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-14 20:05 ` Andrey Repin
2019-08-14 0:53 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-14 2:36 ` Ken Brown
2019-08-14 16:59 ` Achim Gratz
2019-08-14 4:24 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-14 11:22 ` Ken Brown
2019-08-14 22:58 ` Brian Inglis
2019-08-14 14:07 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-15 1:28 ` Ken Brown
2019-08-14 20:39 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-15 1:31 ` Ken Brown
2019-08-15 1:40 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-15 2:59 ` Brian Inglis
2019-08-15 2:00 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-15 9:21 ` L A Walsh
2019-08-15 9:23 ` L A Walsh
2019-08-21 7:12 ` Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp \
--to=takashi.yano@nifty.ne.jp \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).