SMBFS mount's file cannot be made executable

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Nov 11 13:35:55 GMT 2024


On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 13:03:18 +0100
> Corinna Vinschen wrote:
> > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > > > Even with this patch, the file:
> > > > 
> > > > yano $ touch samba_test_file.txt
> > > > yano $ ls -l samba_test_files.txt
> > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > 
> > > Oops! This was wrong.
> > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > 
> > That's Samba for you.  I applied your patch and created a file
> > on my share, and the Authenticated Users group was not in the
> > resulting ACL.  Only user, group, and Everyone.
> > 
> > Either way, I don't think this is the right thing to do.  Even if
> > the group isn't added to the ACL on my machine, it still loks like
> > a security problem in waiting.
> 
> Isn't this DACL here used only for access_check() (NtAccessCheck())?
> In my environment, the Authenticated Users does not appear in the ACL
> too.

Oh, yeah, right, *blush*.

But it's still not the right thing to do.  You convert the Samba ACL
to a Windows ACL which gives Authenticated Users full permissions.
So the check_access() function will return false positives, because
every authenticated user is in the Authenticated Users group and has
supposedly FILE_ALL_ACCESS.  Even if the actual function (read, write,
execute) will fail, the access() function will claim that every
authenticated user has RWX perms.

AFAICS, the underlying problem is somehow the user mapping.  Did you
try with username map = /foo/bar?


Corinna


More information about the Cygwin mailing list