SMBFS mount's file cannot be made executable

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Nov 11 11:59:41 GMT 2024


On Nov 11 20:19, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 11:56:13 +0100
> Corinna Vinschen wrote:
> 
> > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > Corinna Vinschen wrote:
> > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > and for the share itself, check that
> > > > 
> > > >   read only = No
> > > >   vfs objects = acl_xattr
> > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > Thanks! This makes things better.
> > > At least x permissions are set to executable compiled by gcc.
> > > 
> > > However, something is still wrong in my environment....
> > > Others permission seems to be reffered in some cases.
> > 
> > I don't understand.  Please run icacls for a just created file on your
> > Samba share (without the below patch) as well as Windows' `whoami /all'.
> 
> $ touch samba_test_file.txt
> $ icacls samba_test_file.txt
> samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
>                     S-1-5-21-479325430-3041864944-504445739-513:(R)
>                     Everyone:(R)
> 
> This seems reasonable to me.
> 
> For Windows 11 share, the result is
> samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
>                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)

  On Samba S-1-5-21-479325430-3041864944-504445739-1000
  On Windows S-1-5-21-2089672436-4097686843-2104605006-1001

Isn't the user mapping off?

It's also not clear where your Windows ACL comes from.  When I check the
permissions on typical Windows folders, Authenticated Users doesn't even
show up.



>                     S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
> [...]
>                     NT AUTHORITY\Authenticated Users:(RX,W)
> [...]
> > Giving all authenticated users full permissions to all your files?
> > Unconditionally?  That sounds like opening a security hole wide open.
> 
> Does this really mean such thing? Windows 11 share reports here,
> access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?

Well, it's just a group.  All authenticated users are member of the
group.  It's in all user tokens and if it allows everything on a file...


Corinna


More information about the Cygwin mailing list