From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2155) id 7F76D3858D28; Mon, 11 Nov 2024 11:59:43 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7F76D3858D28 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1731326383; bh=RCxfjiCKvGUtxhWHv9a+62yLCRe0JjlsRd8UbR6uCe8=; h=Date:From:To:Subject:Reply-To:References:In-Reply-To:From; b=lmW/dUraOF21NbdLm2653sZoMB2X8Ujv45WdjMuRtYZv6E2lA0GO8trKrejZw4ThE Q0CuzLU33hinzpO62d+Bic83adW80GJy2NuFX5Eo2yHxlvVekOhdkzHfnoRI87taWT pUDX+PC61ssejBR6OAcnHE9g5WuoUqiDx8kMoDS0= Received: by calimero.vinschen.de (Postfix, from userid 500) id 13877A80E9C; Mon, 11 Nov 2024 12:59:41 +0100 (CET) Date: Mon, 11 Nov 2024 12:59:41 +0100 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: SMBFS mount's file cannot be made executable Message-ID: Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20241108205109.55f99e2d172b9fc87e92ae67@nifty.ne.jp> <20241111193152.c3a81044a03ecf2093185166@nifty.ne.jp> <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp> List-Id: On Nov 11 20:19, Takashi Yano via Cygwin wrote: > On Mon, 11 Nov 2024 11:56:13 +0100 > Corinna Vinschen wrote: > > > On Nov 11 19:31, Takashi Yano via Cygwin wrote: > > > On Fri, 8 Nov 2024 14:11:40 +0100 > > > Corinna Vinschen wrote: > > > > If the server is a Samba share, check if `force unknown acl user = yes' > > > > and for the share itself, check that > > > > > > > > read only = No > > > > vfs objects = acl_xattr > > > ^^^^^^^^^^^^^^^^^^^^^^^ > > > Thanks! This makes things better. > > > At least x permissions are set to executable compiled by gcc. > > > > > > However, something is still wrong in my environment.... > > > Others permission seems to be reffered in some cases. > > > > I don't understand. Please run icacls for a just created file on your > > Samba share (without the below patch) as well as Windows' `whoami /all'. > > $ touch samba_test_file.txt > $ icacls samba_test_file.txt > samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO) > S-1-5-21-479325430-3041864944-504445739-513:(R) > Everyone:(R) > > This seems reasonable to me. > > For Windows 11 share, the result is > samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC) > S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO) On Samba S-1-5-21-479325430-3041864944-504445739-1000 On Windows S-1-5-21-2089672436-4097686843-2104605006-1001 Isn't the user mapping off? It's also not clear where your Windows ACL comes from. When I check the permissions on typical Windows folders, Authenticated Users doesn't even show up. > S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X) > [...] > NT AUTHORITY\Authenticated Users:(RX,W) > [...] > > Giving all authenticated users full permissions to all your files? > > Unconditionally? That sounds like opening a security hole wide open. > > Does this really mean such thing? Windows 11 share reports here, > access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar? Well, it's just a group. All authenticated users are member of the group. It's in all user tokens and if it allows everything on a file... Corinna From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from offsite.cs.fiu.edu (offsite.cs.fiu.edu [131.94.68.228]) by sourceware.org (Postfix) with ESMTP id 5FB9E3858C31 for ; Mon, 11 Nov 2024 23:35:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5FB9E3858C31 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=cygwin.com Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=cygwin.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 5FB9E3858C31 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=131.94.68.228 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1731368130; cv=none; b=SeTewEmTVpzr4l7jcpRdEZ/vACkOGszw3DkmikupLitDOH2azf3rfl8SUovuFkuFuh+YEpClWdaKV02D8YxAiINSl5yHUHLYJarmAR1T7tZuGXPHNtNbbUp5OVZrGY+pVbj/sL/n5wl7rK68ek2RAl/fWYGftNdLDdMmeZG/SxM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1731368130; c=relaxed/simple; bh=8jH5BO/WjaEmbSJhKHvfPZ5Sw8tENG6Muj6YeebyRV0=; h=DKIM-Signature:Date:To:Subject:Message-ID:MIME-Version:From; b=jQdZ/Mi1yTfjxhgJxn8XCf5ZvVBzGupKtM2Up7yvkisKC1LFoT7MX3/zOxsBaEmjWQ4var4oMiMZG+ScerLGeAPNqMPAdUTAEPB7MxjmUTyTnupUl3rCw4JowhHwWQf4jaExwr2uC49acGDh0SZcgKXJAgjPejdoyNXqO67b44s= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by offsite.cs.fiu.edu (Postfix, from userid 0) id 33AA61617BA; Mon, 11 Nov 2024 18:35:16 -0500 (EST) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) by offsite.cs.fiu.edu (Postfix) with ESMTP id CB3CC1616F8 for ; Mon, 11 Nov 2024 07:00:23 -0500 (EST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E272A3858C78 for ; Mon, 11 Nov 2024 12:00:18 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E272A3858C78 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1731326418; bh=33jspREa0sGcI10duZQNXHgEE5QIIdfloGnmRT8CgPw=; h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=fN4hSqZCe/nzAij3UXwQuatxhb8TCi8f5cNDwRPXcME0Hu3980DCp0u662cDJrf8P X5VG8vGOvSqUTIdXVxwEV/Mk1+ukC1z52XVOK2SBOvyJK6K0KcegNZ6uBxdL+X4YKY zASRBQ435nvCTODZS8umt/gtwz7GJmLjCQrwKbGo= Received: by sourceware.org (Postfix, from userid 2155) id 7F76D3858D28; Mon, 11 Nov 2024 11:59:43 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7F76D3858D28 Received: by calimero.vinschen.de (Postfix, from userid 500) id 13877A80E9C; Mon, 11 Nov 2024 12:59:41 +0100 (CET) Date: Mon, 11 Nov 2024 12:59:41 +0100 To: cygwin@cygwin.com Subject: Re: SMBFS mount's file cannot be made executable Message-ID: Mail-Followup-To: cygwin@cygwin.com References: <20241108205109.55f99e2d172b9fc87e92ae67@nifty.ne.jp> <20241111193152.c3a81044a03ecf2093185166@nifty.ne.jp> <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp> X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Corinna Vinschen via Cygwin Reply-To: cygwin@cygwin.com Cc: Corinna Vinschen Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces~esj=cs.fiu.edu@cygwin.com Sender: "Cygwin" X-Keywords: X-UID: 28 X-Spam-Status: No, score=-13.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,SPF_FAIL,SPF_HELO_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org Message-ID: <20241111115941.xruklRyF967TYEPKXdQR7C2_CLe5IwxOM5cT237XC9g@z> On Nov 11 20:19, Takashi Yano via Cygwin wrote: > On Mon, 11 Nov 2024 11:56:13 +0100 > Corinna Vinschen wrote: > > > On Nov 11 19:31, Takashi Yano via Cygwin wrote: > > > On Fri, 8 Nov 2024 14:11:40 +0100 > > > Corinna Vinschen wrote: > > > > If the server is a Samba share, check if `force unknown acl user = yes' > > > > and for the share itself, check that > > > > > > > > read only = No > > > > vfs objects = acl_xattr > > > ^^^^^^^^^^^^^^^^^^^^^^^ > > > Thanks! This makes things better. > > > At least x permissions are set to executable compiled by gcc. > > > > > > However, something is still wrong in my environment.... > > > Others permission seems to be reffered in some cases. > > > > I don't understand. Please run icacls for a just created file on your > > Samba share (without the below patch) as well as Windows' `whoami /all'. > > $ touch samba_test_file.txt > $ icacls samba_test_file.txt > samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO) > S-1-5-21-479325430-3041864944-504445739-513:(R) > Everyone:(R) > > This seems reasonable to me. > > For Windows 11 share, the result is > samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC) > S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO) On Samba S-1-5-21-479325430-3041864944-504445739-1000 On Windows S-1-5-21-2089672436-4097686843-2104605006-1001 Isn't the user mapping off? It's also not clear where your Windows ACL comes from. When I check the permissions on typical Windows folders, Authenticated Users doesn't even show up. > S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X) > [...] > NT AUTHORITY\Authenticated Users:(RX,W) > [...] > > Giving all authenticated users full permissions to all your files? > > Unconditionally? That sounds like opening a security hole wide open. > > Does this really mean such thing? Windows 11 share reports here, > access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar? Well, it's just a group. All authenticated users are member of the group. It's in all user tokens and if it allows everything on a file... Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple