From: Takashi Yano <takashi.yano@nifty.ne.jp>
To: cygwin@cygwin.com
Subject: Re: SMBFS mount's file cannot be made executable
Date: Tue, 12 Nov 2024 17:54:27 +0900 [thread overview]
Message-ID: <20241112175427.750ae77a8086594a765862c5@nifty.ne.jp> (raw)
In-Reply-To: <20241112042937.740185a42d476993b4b1e31c@nifty.ne.jp>
On Tue, 12 Nov 2024 04:29:37 +0900
Takashi Yano wrote:
> On Mon, 11 Nov 2024 14:35:55 +0100
> Corinna Vinschen wrote:
> > On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 13:03:18 +0100
> > > Corinna Vinschen wrote:
> > > > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > > > Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > > > > > Even with this patch, the file:
> > > > > >
> > > > > > yano $ touch samba_test_file.txt
> > > > > > yano $ ls -l samba_test_files.txt
> > > > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > > >
> > > > > Oops! This was wrong.
> > > > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > > >
> > > > That's Samba for you. I applied your patch and created a file
> > > > on my share, and the Authenticated Users group was not in the
> > > > resulting ACL. Only user, group, and Everyone.
> > > >
> > > > Either way, I don't think this is the right thing to do. Even if
> > > > the group isn't added to the ACL on my machine, it still loks like
> > > > a security problem in waiting.
> > >
> > > Isn't this DACL here used only for access_check() (NtAccessCheck())?
> > > In my environment, the Authenticated Users does not appear in the ACL
> > > too.
> >
> > Oh, yeah, right, *blush*.
> >
> > But it's still not the right thing to do. You convert the Samba ACL
> > to a Windows ACL which gives Authenticated Users full permissions.
> > So the check_access() function will return false positives, because
> > every authenticated user is in the Authenticated Users group and has
> > supposedly FILE_ALL_ACCESS. Even if the actual function (read, write,
> > execute) will fail, the access() function will claim that every
> > authenticated user has RWX perms.
>
> Ah, right. I have just confirmed that behaviour...
>
> > AFAICS, the underlying problem is somehow the user mapping. Did you
> > try with username map = /foo/bar?
>
> Yes. However, my user name is 'yano' both in server (Linux) and
> client (Windows 10) side. So, I think there is no effect of
> 'username map'.
I noticed that the probelm is not only in samba share, but
also in Windows share.
Yesterday, I used shared resource of the root directory.
In that case, access right of Authenticated Users was enabled.
However, when I tried resource under the user folder, the access
right of Authenticated Users is not assigned as follows.
$ icacls '\\kappy3\Share\smb_shared_file.txt'
\\kappy3\Share\smb_shared_file.txt NULL SID:(DENY)(Rc,S,X,DC)
S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
NT AUTHORITY\SYSTEM:(DENY)(S,X)
BUILTIN\Administrators:(DENY)(S,X)
S-1-5-21-2089672436-4097686843-2104605006-513:(R)
NT AUTHORITY\SYSTEM:(RX,W)
BUILTIN\Administrators:(RX,W)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
$ ls -l //kappy3/Share/smb_shared_file.txt
-rw-r--r--+ 1 Unknown+User Unknown+Group 0 11月 12 15:50 //kappy3/Share/smb_shared_file.txt
$ /cygdrive/c/Windows/system32/whoami /USER
USER INFORMATION
----------------
User Name SID
============ ==============================================
hp-z230\yano S-1-5-21-1515853178-1880514851-1804962447-1001
The file server is not in AD and uses offline account in Windows 11
(means no Microsoft Account). The client also uses offline account
in Windows 10 too.
The server and the client use the same user name and password, so
authentication is automatically done.
In this case, access() of the current cygwin wrongly refers to the
permissions for 'others'.
I wonder why the NtAccessCheck() can not handle this situation
correctly. The process token does not have the privilege of the
SIDs in the server side even though the authentication has been
done by 'net use' command?
--
Takashi Yano <takashi.yano@nifty.ne.jp>
next prev parent reply other threads:[~2024-11-12 8:54 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 15:42 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2024-11-08 11:51 ` Takashi Yano
2024-11-08 13:11 ` Corinna Vinschen
2024-11-11 10:31 ` Takashi Yano
2024-11-11 10:31 ` Takashi Yano via Cygwin
2024-11-11 10:56 ` Corinna Vinschen
2024-11-11 10:56 ` Corinna Vinschen via Cygwin
2024-11-11 11:19 ` Takashi Yano
2024-11-11 11:19 ` Takashi Yano via Cygwin
2024-11-11 11:32 ` Takashi Yano
2024-11-11 11:32 ` Takashi Yano via Cygwin
2024-11-11 11:40 ` Takashi Yano
2024-11-11 11:40 ` Takashi Yano via Cygwin
2024-11-11 12:03 ` Corinna Vinschen
2024-11-11 12:03 ` Corinna Vinschen via Cygwin
2024-11-11 12:19 ` Takashi Yano
2024-11-11 12:19 ` Takashi Yano via Cygwin
2024-11-11 13:35 ` Corinna Vinschen
2024-11-11 13:35 ` Corinna Vinschen via Cygwin
2024-11-11 19:29 ` Takashi Yano
2024-11-11 19:29 ` Takashi Yano via Cygwin
2024-11-12 8:54 ` Takashi Yano [this message]
2024-11-12 11:56 ` Corinna Vinschen
2024-11-13 9:17 ` Takashi Yano
2024-11-13 15:10 ` Bill Stewart
2024-11-13 15:37 ` Takashi Yano
2024-11-13 15:58 ` Bill Stewart
2024-11-13 16:08 ` Takashi Yano
2024-11-15 15:21 ` Takashi Yano
2024-11-18 16:26 ` Corinna Vinschen
2024-11-19 8:58 ` Takashi Yano
2024-11-19 20:54 ` Corinna Vinschen
2024-12-07 23:13 ` Takashi Yano
2024-12-08 7:57 ` Takashi Yano
2024-12-09 11:11 ` Corinna Vinschen
2024-11-12 11:31 ` Corinna Vinschen
2024-11-11 11:51 ` Takashi Yano
2024-11-11 11:51 ` Takashi Yano via Cygwin
2024-11-11 11:59 ` Corinna Vinschen
2024-11-11 11:59 ` Corinna Vinschen via Cygwin
2024-11-11 12:25 ` Takashi Yano
2024-11-11 12:25 ` Takashi Yano via Cygwin
2024-11-11 13:00 ` Takashi Yano
2024-11-11 13:00 ` Takashi Yano via Cygwin
2024-11-11 13:18 ` Corinna Vinschen
2024-11-11 13:18 ` Corinna Vinschen via Cygwin
2024-11-08 16:07 ` [EXTERNAL] " Lavrentiev, Anton (NIH/NLM/NCBI) [C]
2024-11-11 9:04 ` Takashi Yano
2024-11-11 9:04 ` Takashi Yano via Cygwin
2019-08-12 19:05 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-13 8:28 ` KAVALAGIOS Panagiotis (EEAS-EXT)
[not found] ` <704986a5a4ab41709eb963dcd23887b1@BELBRU-EXMP101.eeas.europa.eu>
2019-08-13 12:27 ` Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-13 18:34 ` Achim Gratz
2019-08-13 18:35 ` Andrey Repin
2019-08-13 23:19 ` Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-14 20:05 ` Andrey Repin
2019-08-14 0:53 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-14 2:36 ` Ken Brown
2019-08-14 16:59 ` Achim Gratz
2019-08-14 4:24 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-14 11:22 ` Ken Brown
2019-08-14 22:58 ` Brian Inglis
2019-08-14 14:07 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-15 1:28 ` Ken Brown
2019-08-14 20:39 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-15 1:31 ` Ken Brown
2019-08-15 1:40 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-15 2:59 ` Brian Inglis
2019-08-15 2:00 Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
2019-08-15 9:21 ` L A Walsh
2019-08-15 9:23 ` L A Walsh
2019-08-21 7:12 ` Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241112175427.750ae77a8086594a765862c5@nifty.ne.jp \
--to=takashi.yano@nifty.ne.jp \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).