Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

On Nov 19 17:58, Takashi Yano via Cygwin wrote:
> On Mon, 18 Nov 2024 17:26:12 +0100
> Corinna Vinschen wrote:
> > We can safely assume that the current user is already authorized on the
> > SMB server.  So... shouldn't AuthzInitializeResourceManager be
> > sufficient and the code from class authz_ctx already does what we want?
> > We may just have to use in in place of calling NtCheckAccess(),
> > maybe with a tweak or two...
> 
> I already tried AuthzInitializeResourceManager(), but the result
> was the same with current implementation...

So you tried to call authz_get_user_attribute()?

> BTW, I come up with another implementation. This make the things
> much simpler. What do you think of the patch attached?

> [...]
>  int
>  check_file_access (path_conv &pc, int flags, bool effective)
>  {
> @@ -711,10 +618,14 @@ check_file_access (path_conv &pc, int flags, bool effective)
>      desired |= FILE_EXECUTE;
>    if (!get_file_sd (pc.handle (), pc, sd, false))
>      {
> -      /* Tweak Samba security descriptor as necessary. */
> -      if (pc.fs_is_samba ())
> -	convert_samba_sd (sd);
> -      ret = check_access (sd, file_mapping, desired, flags, effective);
> +      HANDLE h = CreateFileW (pc.get_nt_native_path ()->Buffer, desired,
> +			      0, NULL, OPEN_EXISTING,
> +			      FILE_FLAG_BACKUP_SEMANTICS, NULL);
> +      if (h != INVALID_HANDLE_VALUE)
> +	{
> +	  CloseHandle (h);
> +	  ret = 0;
> +	}
>      }
>    debug_printf ("flags %y, ret %d", flags, ret);
>    return ret;

No, we can't do that, it's too simple.

Just kidding.

This is so simple, I'm puzzled we never tried that before.  Or, if we
did, it's a loooong time ago...

If we really do this, we don't even need to call get_file_sd().  And it
should use NtOpenFile and reopen semantics i.e.  pc.init_reopen_attr().
Also, the sharing flags should allow all access.  And the `effective'
argument needs to be taken into account.

I wonder what side effects this has, but I can't think of any...

And I don't see any way around that, actually.  {Nt}AccessCheck
as well as AuthzAccessCheck(*) use a token/sid context and compare
that against a security descriptor.  Both don't care where the
SD is coming from, so the fact that this is coming from an
authenticated connection to a remote SMB server is just lost on them.
There's no simple CheckFileAccess function in the Windows API I'm
aware of :(


Thanks,
Corinna

(*) I wonder if AuthzAccessCheck isn't implemented using NtAccessCheck
    under the hood...