SMBFS mount's file cannot be made executable
Corinna Vinschen
corinna-cygwin@cygwin.com
Mon Nov 11 10:56:13 GMT 2024
On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> On Fri, 8 Nov 2024 14:11:40 +0100
> Corinna Vinschen wrote:
> > If the server is a Samba share, check if `force unknown acl user = yes'
> > and for the share itself, check that
> >
> > read only = No
> > vfs objects = acl_xattr
> ^^^^^^^^^^^^^^^^^^^^^^^
> Thanks! This makes things better.
> At least x permissions are set to executable compiled by gcc.
>
> However, something is still wrong in my environment....
> Others permission seems to be reffered in some cases.
I don't understand. Please run icacls for a just created file on your
Samba share (without the below patch) as well as Windows' `whoami /all'.
> > map acl inherit = Yes
> > store dos attributes = Yes
> >
> > Not sure if that helps, but I don't have any other idea. I'm running
> > Samba in an AD environment and "it works for me" :-P
>
> I looked into this probelm and found the NtAccessCheck() fails
> for my samba environment.
>
> It seems that next patch solves this.
>
> diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> index d5e39d281..c519af6e0 100644
> --- a/winsup/cygwin/sec/base.cc
> +++ b/winsup/cygwin/sec/base.cc
> @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> ace->Header.AceFlags))
> return;
> }
> + /* Samba without AD seems to need this. */
> + add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> + well_known_authenticated_users_sid, acl_len, 0);
> acl->AclSize = acl_len;
>
> RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
>
> What do you think?
Giving all authenticated users full permissions to all your files?
Unconditionally? That sounds like opening a security hole wide open.
Corinna
More information about the Cygwin
mailing list