SMBFS mount's file cannot be made executable

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Nov 11 10:56:13 GMT 2024


On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> On Fri, 8 Nov 2024 14:11:40 +0100
> Corinna Vinschen wrote:
> > If the server is a Samba share, check if `force unknown acl user = yes'
> > and for the share itself, check that
> > 
> >   read only = No
> >   vfs objects = acl_xattr
>     ^^^^^^^^^^^^^^^^^^^^^^^
> Thanks! This makes things better.
> At least x permissions are set to executable compiled by gcc.
> 
> However, something is still wrong in my environment....
> Others permission seems to be reffered in some cases.

I don't understand.  Please run icacls for a just created file on your
Samba share (without the below patch) as well as Windows' `whoami /all'.

> >   map acl inherit = Yes
> >   store dos attributes = Yes
> > 
> > Not sure if that helps, but I don't have any other idea.  I'm running
> > Samba in an AD environment and "it works for me" :-P
> 
> I looked into this probelm and found the NtAccessCheck() fails
> for my samba environment.
> 
> It seems that next patch solves this.
> 
> diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> index d5e39d281..c519af6e0 100644
> --- a/winsup/cygwin/sec/base.cc
> +++ b/winsup/cygwin/sec/base.cc
> @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
>  				     ace->Header.AceFlags))
>  	  return;
>        }
> +  /* Samba without AD seems to need this. */
> +  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> +			  well_known_authenticated_users_sid, acl_len, 0);
>    acl->AclSize = acl_len;
>  
>    RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> 
> What do you think?

Giving all authenticated users full permissions to all your files?
Unconditionally?  That sounds like opening a security hole wide open.


Corinna


More information about the Cygwin mailing list