From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2155) id 2253C3858D20; Tue, 12 Nov 2024 11:31:42 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2253C3858D20 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1731411102; bh=D4oQe7EtaUfmJRS3p9CnimfcPOVR2BiUb24wFAJniFs=; h=Date:From:To:Subject:Reply-To:References:In-Reply-To:From; b=Gdwk9VBZBiqKJwo4uap9loSiq4Odcr7T2BEDSZHaTvUbX49FjsmAj+o1FYEZF1SPI QKhEwAjcoIzRYLCEG7cbDfJpQxPfnlGJgxZkCYqtASG+Oylb52AX1DAS3sUrqRN9+F TpR6ehRCVvMWxZgcx1QXcn4pMSMAy7dk7oBm+J8M= Received: by calimero.vinschen.de (Postfix, from userid 500) id D3054A806B7; Tue, 12 Nov 2024 12:31:39 +0100 (CET) Date: Tue, 12 Nov 2024 12:31:39 +0100 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: SMBFS mount's file cannot be made executable Message-ID: Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20241111193152.c3a81044a03ecf2093185166@nifty.ne.jp> <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp> <20241111203202.b22bcf4f9030aff58299fe0e@nifty.ne.jp> <20241111204051.493f12208bb59d62b699dd28@nifty.ne.jp> <20241111211953.605b186566ce3a44ca929788@nifty.ne.jp> <20241112042937.740185a42d476993b4b1e31c@nifty.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20241112042937.740185a42d476993b4b1e31c@nifty.ne.jp> List-Id: On Nov 12 04:29, Takashi Yano via Cygwin wrote: > On Mon, 11 Nov 2024 14:35:55 +0100 > Corinna Vinschen wrote: > > On Nov 11 21:19, Takashi Yano via Cygwin wrote: > > > On Mon, 11 Nov 2024 13:03:18 +0100 > > > Corinna Vinschen wrote: > > > > On Nov 11 20:40, Takashi Yano via Cygwin wrote: > > > > > On Mon, 11 Nov 2024 20:32:02 +0900 > > > > > Takashi Yano via Cygwin wrote: > > > > > > Even with this patch, the file: > > > > > > > > > > > > yano $ touch samba_test_file.txt > > > > > > yano $ ls -l samba_test_files.txt > > > > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt > > > > > > > > > > Oops! This was wrong. > > > > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt > > > > > > > > That's Samba for you. I applied your patch and created a file > > > > on my share, and the Authenticated Users group was not in the > > > > resulting ACL. Only user, group, and Everyone. > > > > > > > > Either way, I don't think this is the right thing to do. Even if > > > > the group isn't added to the ACL on my machine, it still loks like > > > > a security problem in waiting. > > > > > > Isn't this DACL here used only for access_check() (NtAccessCheck())? > > > In my environment, the Authenticated Users does not appear in the ACL > > > too. > > > > Oh, yeah, right, *blush*. > > > > But it's still not the right thing to do. You convert the Samba ACL > > to a Windows ACL which gives Authenticated Users full permissions. > > So the check_access() function will return false positives, because > > every authenticated user is in the Authenticated Users group and has > > supposedly FILE_ALL_ACCESS. Even if the actual function (read, write, > > execute) will fail, the access() function will claim that every > > authenticated user has RWX perms. > > Ah, right. I have just confirmed that behaviour... > > > AFAICS, the underlying problem is somehow the user mapping. Did you > > try with username map = /foo/bar? > > Yes. However, my user name is 'yano' both in server (Linux) and > client (Windows 10) side. So, I think there is no effect of > 'username map'. I have something like corinna = MY_DOMAIN\corinna in there. Corinna