From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Rgej=SG=nifty.ne.jp=takashi.yano@sourceware.org>
Received: from mta-snd-w02.mail.nifty.com (mta-snd-w02.mail.nifty.com [106.153.227.34])
	by sourceware.org (Postfix) with ESMTPS id E2F083858D21
	for <cygwin@cygwin.com>; Mon, 11 Nov 2024 11:19:30 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E2F083858D21
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=nifty.ne.jp
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=nifty.ne.jp
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E2F083858D21
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=106.153.227.34
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1731323974; cv=none;
	b=OzaJw+j0tr6ISDwzrbiIsysOI6DOOHQ/jqUiYEIjfbzE0O5Bsft5hkRd/04hOp1iz6IAB8ChtcjIb7yYpUXFfh5guOwI8oEgn0CLFsEracCODE4WrWmVelkB3LKX6zM4gqWJOGsVzh9cg95PRZoIx9+wyP2L3rhmf+teX6uVlUw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1731323974; c=relaxed/simple;
	bh=bXY4urEC39sHhgmEhjxhXlYa7PDE15EqB6f5oJAcmzs=;
	h=Date:From:To:Subject:Message-Id:Mime-Version:DKIM-Signature; b=E9mfW55bFtyILxBfU5sywqMcJiMPWoWrrKq/F6iyBocuJs2B34wpzVhm/0qPSixqOq2j6CpdbrtEm9s6KxHL+/qHz9VJWnJvgrIh0Dgkbft08WAuX+OnwtvcowegTmN9UwKLIRdsSzUWp7V0OKk42aup0j8jOYbpGTfcDwMO6Wc=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from HP-Z230 by mta-snd-w02.mail.nifty.com with ESMTP
          id <20241111111928749.WVQR.12429.HP-Z230@nifty.com>
          for <cygwin@cygwin.com>; Mon, 11 Nov 2024 20:19:28 +0900
Date: Mon, 11 Nov 2024 20:19:28 +0900
From: Takashi Yano <takashi.yano@nifty.ne.jp>
To: cygwin@cygwin.com
Subject: Re: SMBFS mount's file cannot be made executable
Message-Id: <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp>
In-Reply-To: <ZzHizX_6FXABDPvZ@calimero.vinschen.de>
References: <BL0PR0901MB430827F1A0668E468B498FBBA5D70@BL0PR0901MB4308.namprd09.prod.outlook.com>
	<20241108205109.55f99e2d172b9fc87e92ae67@nifty.ne.jp>
	<Zy4ODHHpmZPggGSz@calimero.vinschen.de>
	<20241111193152.c3a81044a03ecf2093185166@nifty.ne.jp>
	<ZzHizX_6FXABDPvZ@calimero.vinschen.de>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-mingw32)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.ne.jp; s=default-1th84yt82rvi; t=1731323968;
 bh=0Z/KC625z0sNItlCVtCyaEhyrWJq6vntM0wgnLAjsu0=;
 h=Date:From:To:Subject:In-Reply-To:References;
 b=TwMKNMvOza0HEkqyGqVrg7ek3uQq0wwcuU8VRLAjX2GKDO5vyvIWcNIpGevtu+O2s53JQH4U
 ooInI/QG7maLDPRxpYDypDsIxu/qjeZD7joIOMBmYUOwdpyBpRGRHEy1PY3aBrVxsn2Apcgvlv
 kXzzlE7WpySweE+QcjvIUxivbLTh2GCF6Cvlmymy8Ufpm4qVLJ7cxyIQ3EqCXXE8rd11YLirCk
 j3OhpdTUlHiutKdR9XPMdWf063uk2vmu4n5xkNkQMasXuORi1TyxbGA1aGrkTu0BECCHqBJ69V
 dY3G3CsmoWLeEZ/6lHRyBgbmcaq31sVAraq/XUPnLHtINb6w==
X-Spam-Status: No, score=-10.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <cygwin.cygwin.com>

On Mon, 11 Nov 2024 11:56:13 +0100
Corinna Vinschen wrote:

> On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > On Fri, 8 Nov 2024 14:11:40 +0100
> > Corinna Vinschen wrote:
> > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > and for the share itself, check that
> > > 
> > >   read only = No
> > >   vfs objects = acl_xattr
> >     ^^^^^^^^^^^^^^^^^^^^^^^
> > Thanks! This makes things better.
> > At least x permissions are set to executable compiled by gcc.
> > 
> > However, something is still wrong in my environment....
> > Others permission seems to be reffered in some cases.
> 
> I don't understand.  Please run icacls for a just created file on your
> Samba share (without the below patch) as well as Windows' `whoami /all'.

$ touch samba_test_file.txt
$ icacls samba_test_file.txt
samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
                    S-1-5-21-479325430-3041864944-504445739-513:(R)
                    Everyone:(R)

This seems reasonable to me.

For Windows 11 share, the result is
samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
                    S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
                    S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
                    NT AUTHORITY\Authenticated Users:(DENY)(S,X)
                    NT AUTHORITY\SYSTEM:(DENY)(S,X)
                    BUILTIN\Administrators:(DENY)(S,X)
                    BUILTIN\Users:(DENY)(S,X)
                    S-1-5-21-2089672436-4097686843-2104605006-513:(RX)
                    NT AUTHORITY\Authenticated Users:(RX,W)
                    NT AUTHORITY\SYSTEM:(RX,W)
                    BUILTIN\Administrators:(RX,W)
                    BUILTIN\Users:(RX)
                    Everyone:(R)

> > >   map acl inherit = Yes
> > >   store dos attributes = Yes
> > > 
> > > Not sure if that helps, but I don't have any other idea.  I'm running
> > > Samba in an AD environment and "it works for me" :-P
> > 
> > I looked into this probelm and found the NtAccessCheck() fails
> > for my samba environment.
> > 
> > It seems that next patch solves this.
> > 
> > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> > index d5e39d281..c519af6e0 100644
> > --- a/winsup/cygwin/sec/base.cc
> > +++ b/winsup/cygwin/sec/base.cc
> > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> >  				     ace->Header.AceFlags))
> >  	  return;
> >        }
> > +  /* Samba without AD seems to need this. */
> > +  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> > +			  well_known_authenticated_users_sid, acl_len, 0);
> >    acl->AclSize = acl_len;
> >  
> >    RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> > 
> > What do you think?
> 
> Giving all authenticated users full permissions to all your files?
> Unconditionally?  That sounds like opening a security hole wide open.

Does this really mean such thing? Windows 11 share reports here,
access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-bounces~esj=cs.fiu.edu@cygwin.com>
Received: from offsite.cs.fiu.edu (offsite.cs.fiu.edu [131.94.68.228])
	by sourceware.org (Postfix) with ESMTP id 27E813858C62
	for <cygwin@cygwin.com>; Mon, 11 Nov 2024 23:35:17 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 27E813858C62
Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=cygwin.com
Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=cygwin.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 27E813858C62
Authentication-Results: server2.sourceware.org; arc=fail smtp.remote-ip=131.94.68.228
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1731368122; cv=fail;
	b=C51xF8i+aW5fQuY0vOqrO0/jrVjbSHv+DF40Dfs/Unruwbu2ftfqMSMIEJQXf4IuvM7I2T1CU14pwheHqm47ygUgy4sZoJd3ZtA8JlF1rr/T6iH3cK0SXpXfPAPCNYiTcyTvjJn3gzp+iI2GLZECnd1TpdH2Rti09q3ylLOaO2c=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
	t=1731368122; c=relaxed/simple;
	bh=IK0Ug4+matA4ulpKO9BfVi5y0ussP7qKISt8TmLmPj0=;
	h=DKIM-Signature:Date:To:Subject:Message-Id:Mime-Version:From; b=JRIfTmmMNe3LkkCzyjbkeBWIcAGl+I5bQkZpS65xH2Nb/aOPAkuSbMsOrxKv7iMRuKjYSe0aR2Ur5PYgdy0QKMcAihGOTbFste1D9EVYsjTrHS2J/ja7GLFTkEUlZZLn53TJPm5XAhyJZC6qHCzqqsrah7CyPIKZ1ScPvEufg6g=
ARC-Authentication-Results: i=2; server2.sourceware.org
Received: by offsite.cs.fiu.edu (Postfix, from userid 0)
	id 018191617B8; Mon, 11 Nov 2024 18:35:16 -0500 (EST)
Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) 	by offsite.cs.fiu.edu (Postfix) with ESMTP id 7900F1616F2 	for <esj@cs.fiu.edu>; Mon, 11 Nov 2024 06:20:16 -0500 (EST)
Received: from server2.sourceware.org (localhost [IPv6:::1]) 	by sourceware.org (Postfix) with ESMTP id 048893858C3A 	for <esj@cs.fiu.edu>; Mon, 11 Nov 2024 11:20:11 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 048893858C3A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; 	s=default; t=1731324011; 	bh=7MkrC11LJAiFKErjOuiGtZznjmbeq7n0piKAO6RETTo=; 	h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe: 	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: 	 From; 	b=VeiqU4X8T84AsNq/dMJ/FhwXvTYv/qSpiNNPmBHBB4K4sT7CFHt9gwbPsIyqZPGyk 	 8oIGyknyLelvDlb05XwNbdFHkM6fe6ZbyRalqZdKag6tOQdgnb8MkqaoJfeQ/GspEv 	 ViKxrHWM7JKiukE3+UVodxJUOjDMia+gOjkFsSgU=
Received: from mta-snd-w02.mail.nifty.com (mta-snd-w02.mail.nifty.com  [106.153.227.34])  by sourceware.org (Postfix) with ESMTPS id E2F083858D21  for <cygwin@cygwin.com>; Mon, 11 Nov 2024 11:19:30 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E2F083858D21
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E2F083858D21
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1731323974; cv=none;  b=OzaJw+j0tr6ISDwzrbiIsysOI6DOOHQ/jqUiYEIjfbzE0O5Bsft5hkRd/04hOp1iz6IAB8ChtcjIb7yYpUXFfh5guOwI8oEgn0CLFsEracCODE4WrWmVelkB3LKX6zM4gqWJOGsVzh9cg95PRZoIx9+wyP2L3rhmf+teX6uVlUw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;  t=1731323974; c=relaxed/simple;  bh=bXY4urEC39sHhgmEhjxhXlYa7PDE15EqB6f5oJAcmzs=;  h=Date:From:To:Subject:Message-Id:Mime-Version:DKIM-Signature;  b=E9mfW55bFtyILxBfU5sywqMcJiMPWoWrrKq/F6iyBocuJs2B34wpzVhm/0qPSixqOq2j6CpdbrtEm9s6KxHL+/qHz9VJWnJvgrIh0Dgkbft08WAuX+OnwtvcowegTmN9UwKLIRdsSzUWp7V0OKk42aup0j8jOYbpGTfcDwMO6Wc=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from HP-Z230 by mta-snd-w02.mail.nifty.com with ESMTP  id <20241111111928749.WVQR.12429.HP-Z230@nifty.com>  for <cygwin@cygwin.com>; Mon, 11 Nov 2024 20:19:28 +0900
Date: Mon, 11 Nov 2024 20:19:28 +0900
To: cygwin@cygwin.com
Subject: Re: SMBFS mount's file cannot be made executable
Message-ID: <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp>
In-Reply-To: <ZzHizX_6FXABDPvZ@calimero.vinschen.de>
References: <BL0PR0901MB430827F1A0668E468B498FBBA5D70@BL0PR0901MB4308.namprd09.prod.outlook.com>  <20241108205109.55f99e2d172b9fc87e92ae67@nifty.ne.jp>  <Zy4ODHHpmZPggGSz@calimero.vinschen.de>  <20241111193152.c3a81044a03ecf2093185166@nifty.ne.jp>  <ZzHizX_6FXABDPvZ@calimero.vinschen.de>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-mingw32)
Mime-Version: 1.0
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,  <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,  <mailto:cygwin-request@cygwin.com?subject=subscribe>
From: Takashi Yano via Cygwin <cygwin@cygwin.com>
Reply-To: Takashi Yano <takashi.yano@nifty.ne.jp>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces~esj=cs.fiu.edu@cygwin.com
Sender: "Cygwin" <cygwin-bounces~esj=cs.fiu.edu@cygwin.com>
X-Keywords:                  
X-UID: 21
X-Spam-Status: No, score=-17.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_FAIL,SPF_HELO_NONE,TXREP autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
Message-ID: <20241111111928.GEIBLYN5RQSKbOTw-qz8KaPwtVomW9F7QgzlCa-J_rI@z>

On Mon, 11 Nov 2024 11:56:13 +0100
Corinna Vinschen wrote:

> On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > On Fri, 8 Nov 2024 14:11:40 +0100
> > Corinna Vinschen wrote:
> > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > and for the share itself, check that
> > > 
> > >   read only = No
> > >   vfs objects = acl_xattr
> >     ^^^^^^^^^^^^^^^^^^^^^^^
> > Thanks! This makes things better.
> > At least x permissions are set to executable compiled by gcc.
> > 
> > However, something is still wrong in my environment....
> > Others permission seems to be reffered in some cases.
> 
> I don't understand.  Please run icacls for a just created file on your
> Samba share (without the below patch) as well as Windows' `whoami /all'.

$ touch samba_test_file.txt
$ icacls samba_test_file.txt
samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
                    S-1-5-21-479325430-3041864944-504445739-513:(R)
                    Everyone:(R)

This seems reasonable to me.

For Windows 11 share, the result is
samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
                    S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
                    S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
                    NT AUTHORITY\Authenticated Users:(DENY)(S,X)
                    NT AUTHORITY\SYSTEM:(DENY)(S,X)
                    BUILTIN\Administrators:(DENY)(S,X)
                    BUILTIN\Users:(DENY)(S,X)
                    S-1-5-21-2089672436-4097686843-2104605006-513:(RX)
                    NT AUTHORITY\Authenticated Users:(RX,W)
                    NT AUTHORITY\SYSTEM:(RX,W)
                    BUILTIN\Administrators:(RX,W)
                    BUILTIN\Users:(RX)
                    Everyone:(R)

> > >   map acl inherit = Yes
> > >   store dos attributes = Yes
> > > 
> > > Not sure if that helps, but I don't have any other idea.  I'm running
> > > Samba in an AD environment and "it works for me" :-P
> > 
> > I looked into this probelm and found the NtAccessCheck() fails
> > for my samba environment.
> > 
> > It seems that next patch solves this.
> > 
> > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> > index d5e39d281..c519af6e0 100644
> > --- a/winsup/cygwin/sec/base.cc
> > +++ b/winsup/cygwin/sec/base.cc
> > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> >  				     ace->Header.AceFlags))
> >  	  return;
> >        }
> > +  /* Samba without AD seems to need this. */
> > +  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> > +			  well_known_authenticated_users_sid, acl_len, 0);
> >    acl->AclSize = acl_len;
> >  
> >    RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> > 
> > What do you think?
> 
> Giving all authenticated users full permissions to all your files?
> Unconditionally?  That sounds like opening a security hole wide open.

Does this really mean such thing? Windows 11 share reports here,
access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple