SMBFS mount's file cannot be made executable

Takashi Yano takashi.yano@nifty.ne.jp
Mon Nov 11 11:19:28 GMT 2024


On Mon, 11 Nov 2024 11:56:13 +0100
Corinna Vinschen wrote:

> On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > On Fri, 8 Nov 2024 14:11:40 +0100
> > Corinna Vinschen wrote:
> > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > and for the share itself, check that
> > > 
> > >   read only = No
> > >   vfs objects = acl_xattr
> >     ^^^^^^^^^^^^^^^^^^^^^^^
> > Thanks! This makes things better.
> > At least x permissions are set to executable compiled by gcc.
> > 
> > However, something is still wrong in my environment....
> > Others permission seems to be reffered in some cases.
> 
> I don't understand.  Please run icacls for a just created file on your
> Samba share (without the below patch) as well as Windows' `whoami /all'.

$ touch samba_test_file.txt
$ icacls samba_test_file.txt
samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
                    S-1-5-21-479325430-3041864944-504445739-513:(R)
                    Everyone:(R)

This seems reasonable to me.

For Windows 11 share, the result is
samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
                    S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
                    S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
                    NT AUTHORITY\Authenticated Users:(DENY)(S,X)
                    NT AUTHORITY\SYSTEM:(DENY)(S,X)
                    BUILTIN\Administrators:(DENY)(S,X)
                    BUILTIN\Users:(DENY)(S,X)
                    S-1-5-21-2089672436-4097686843-2104605006-513:(RX)
                    NT AUTHORITY\Authenticated Users:(RX,W)
                    NT AUTHORITY\SYSTEM:(RX,W)
                    BUILTIN\Administrators:(RX,W)
                    BUILTIN\Users:(RX)
                    Everyone:(R)

> > >   map acl inherit = Yes
> > >   store dos attributes = Yes
> > > 
> > > Not sure if that helps, but I don't have any other idea.  I'm running
> > > Samba in an AD environment and "it works for me" :-P
> > 
> > I looked into this probelm and found the NtAccessCheck() fails
> > for my samba environment.
> > 
> > It seems that next patch solves this.
> > 
> > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> > index d5e39d281..c519af6e0 100644
> > --- a/winsup/cygwin/sec/base.cc
> > +++ b/winsup/cygwin/sec/base.cc
> > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> >  				     ace->Header.AceFlags))
> >  	  return;
> >        }
> > +  /* Samba without AD seems to need this. */
> > +  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> > +			  well_known_authenticated_users_sid, acl_len, 0);
> >    acl->AclSize = acl_len;
> >  
> >    RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> > 
> > What do you think?
> 
> Giving all authenticated users full permissions to all your files?
> Unconditionally?  That sounds like opening a security hole wide open.

Does this really mean such thing? Windows 11 share reports here,
access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>


More information about the Cygwin mailing list