Re: SMBFS mount's file cannot be made executable

[Takashi Yano <takashi.yano@nifty.ne.jp>]

[-- Attachment #1: Type: text/plain, Size: 2699 bytes --]

On Mon, 18 Nov 2024 17:26:12 +0100
Corinna Vinschen wrote:
> On Nov 16 00:21, Takashi Yano via Cygwin wrote:
> > I built a test program, whose important part is:
> > 
> >   AUTHZ_RESOURCE_MANAGER_HANDLE hManager = NULL;
> >   AUTHZ_CLIENT_CONTEXT_HANDLE hClient = NULL;
> >   AUTHZ_ACCESS_REQUEST AccessRequest = {0};
> >   AUTHZ_ACCESS_REPLY AccessReply = {0};
> > 
> >   AUTHZ_RPC_INIT_INFO_CLIENT authzRpcInitInfoClient = {0};
> > 
> >   WCHAR ObjectUuid[] = L"9a81c2bd-a525-471d-a4ed-49907c0b23da";
> >   WCHAR ProtSeq[] = L"ncacn_ip_tcp";
> >   WCHAR NetworkAddr[] = L"localhost";
> >   WCHAR Endpoint[] = L"135";
> > 
> >   authzRpcInitInfoClient.version = AUTHZ_INIT_INFO_VERSION_V1;
> >   authzRpcInitInfoClient.ObjectUuid = ObjectUuid;
> >   authzRpcInitInfoClient.ProtSeq = ProtSeq;
> >   authzRpcInitInfoClient.NetworkAddr = NetworkAddr;
> >   authzRpcInitInfoClient.Endpoint = Endpoint;
> > 
> >   AuthzInitializeRemoteResourceManager (&authzRpcInitInfoClient, &hManager);
> > 
> >   char buf[1024];
> >   PTOKEN_USER pTokenUser = (PTOKEN_USER) buf;
> >   DWORD len;
> > 
> >   GetTokenInformation(hToken, TokenUser, pTokenUser, 1024, &len);
> > 
> >   LUID luid = {0,};
> >   AuthzInitializeContextFromSid(0, pTokenUser->User.Sid, hManager,
> >                                 NULL, luid, NULL, &hClient);
> > 
> > 
> > This test code fails at AuthzInitializeContextFromSid() with
> > RPC_S_UNKNOWN_IF. If AuthzInitializeRemoteResourceManager()
> > is replaced with AuthzInitializeResourceManager(), the error
> > does not occur.
> > 
> > I searched the combination of AuthzInitializeContextFromSid()
> > and RPC_S_UNKNOWN_IF, however nothing was found.
> 
> RPC_S_UNKNOWN_IF means "unknown interface".  I assume this error has
> nothing to do with AuthzInitializeContextFromSid(), but with the
> AuthzInitializeRemoteResourceManager() call.
> 
> What I failed, though, is to find a working example for
> AuthzInitializeRemoteResourceManager().
> 
> > Any suggestion would be appreciated.
> 
> As I said in my previous posting, maybe we don't really need
> AuthzInitializeRemoteResourceManager().
> 
> We can safely assume that the current user is already authorized on the
> SMB server.  So... shouldn't AuthzInitializeResourceManager be
> sufficient and the code from class authz_ctx already does what we want?
> We may just have to use in in place of calling NtCheckAccess(),
> maybe with a tweak or two...

I already tried AuthzInitializeResourceManager(), but the result
was the same with current implementation...

BTW, I come up with another implementation. This make the things
much simpler. What do you think of the patch attached?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

[-- Attachment #2: smb.patch --]
[-- Type: text/plain, Size: 4312 bytes --]

diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
index d5e39d281..c460fecc4 100644
--- a/winsup/cygwin/sec/base.cc
+++ b/winsup/cygwin/sec/base.cc
@@ -28,10 +28,6 @@ details. */
 				  | GROUP_SECURITY_INFORMATION \
 				  | OWNER_SECURITY_INFORMATION)
 
-static GENERIC_MAPPING NO_COPY_RO file_mapping = { FILE_GENERIC_READ,
-						   FILE_GENERIC_WRITE,
-						   FILE_GENERIC_EXECUTE,
-						   FILE_ALL_ACCESS };
 LONG
 get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd,
 	     bool justcreated)
@@ -608,95 +604,6 @@ check_access (security_descriptor &sd, GENERIC_MAPPING &mapping,
   return ret;
 }
 
-/* Samba override.  Check security descriptor for Samba UNIX user and group
-   accounts and check if we have an RFC 2307 mapping to a Windows account.
-   Create a new security descriptor with all of the UNIX accounts with
-   valid mapping replaced with their Windows counterpart. */
-static void
-convert_samba_sd (security_descriptor &sd_ret)
-{
-  NTSTATUS status;
-  BOOLEAN dummy;
-  PSID sid;
-  cygsid owner;
-  cygsid group;
-  SECURITY_DESCRIPTOR sd;
-  cyg_ldap cldap;
-  tmp_pathbuf tp;
-  PACL acl, oacl;
-  size_t acl_len;
-  PACCESS_ALLOWED_ACE ace;
-
-  if (!NT_SUCCESS (RtlGetOwnerSecurityDescriptor (sd_ret, &sid, &dummy)))
-    return;
-  owner = sid;
-  if (!NT_SUCCESS (RtlGetGroupSecurityDescriptor (sd_ret, &sid, &dummy)))
-    return;
-  group = sid;
-
-  if (sid_id_auth (owner) == 22)
-    {
-      struct passwd *pwd;
-      uid_t uid = owner.get_uid (&cldap);
-      if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
-	owner.getfrompw (pwd);
-    }
-  if (sid_id_auth (group) == 22)
-    {
-      struct group *grp;
-      gid_t gid = group.get_gid (&cldap);
-      if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
-	group.getfromgr (grp);
-    }
-
-  if (!NT_SUCCESS (RtlGetDaclSecurityDescriptor (sd_ret, &dummy,
-						 &oacl, &dummy)))
-    return;
-  acl = (PACL) tp.w_get ();
-  RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);
-  acl_len = sizeof (ACL);
-
-  for (DWORD i = 0; i < oacl->AceCount; ++i)
-    if (NT_SUCCESS (RtlGetAce (oacl, i, (PVOID *) &ace)))
-      {
-	cygsid ace_sid ((PSID) &ace->SidStart);
-	if (sid_id_auth (ace_sid) == 22)
-	  {
-	    if (sid_sub_auth (ace_sid, 0) == 1) /* user */
-	      {
-		struct passwd *pwd;
-		uid_t uid = ace_sid.get_uid (&cldap);
-		if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
-		  ace_sid.getfrompw (pwd);
-	      }
-	    else if (sid_sub_auth (ace_sid, 0) == 2) /* group */
-	      {
-		struct group *grp;
-		gid_t gid = ace_sid.get_gid (&cldap);
-		if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
-		  ace_sid.getfromgr (grp);
-	      }
-	  }
-	if (!add_access_allowed_ace (acl, ace->Mask, ace_sid, acl_len,
-				     ace->Header.AceFlags))
-	  return;
-      }
-  acl->AclSize = acl_len;
-
-  RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
-  RtlSetControlSecurityDescriptor (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
-  RtlSetOwnerSecurityDescriptor (&sd, owner, FALSE);
-  RtlSetGroupSecurityDescriptor (&sd, group, FALSE);
-
-  status = RtlSetDaclSecurityDescriptor (&sd, TRUE, acl, FALSE);
-  if (!NT_SUCCESS (status))
-    return;
-  DWORD sd_size = 0;
-  status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
-  if (sd_size > 0 && sd_ret.malloc (sd_size))
-    RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
-}
-
 int
 check_file_access (path_conv &pc, int flags, bool effective)
 {
@@ -711,10 +618,14 @@ check_file_access (path_conv &pc, int flags, bool effective)
     desired |= FILE_EXECUTE;
   if (!get_file_sd (pc.handle (), pc, sd, false))
     {
-      /* Tweak Samba security descriptor as necessary. */
-      if (pc.fs_is_samba ())
-	convert_samba_sd (sd);
-      ret = check_access (sd, file_mapping, desired, flags, effective);
+      HANDLE h = CreateFileW (pc.get_nt_native_path ()->Buffer, desired,
+			      0, NULL, OPEN_EXISTING,
+			      FILE_FLAG_BACKUP_SEMANTICS, NULL);
+      if (h != INVALID_HANDLE_VALUE)
+	{
+	  CloseHandle (h);
+	  ret = 0;
+	}
     }
   debug_printf ("flags %y, ret %d", flags, ret);
   return ret;