SMBFS mount's file cannot be made executable

Takashi Yano takashi.yano@nifty.ne.jp
Wed Nov 13 09:17:55 GMT 2024


Hi Corinna,

On Tue, 12 Nov 2024 12:56:15 +0100
Corinna Vinschen wrote:
> On Nov 12 17:54, Takashi Yano via Cygwin wrote:
> > I noticed that the probelm is not only in samba share, but
> > also in Windows share.
> > 
> > Yesterday, I used shared resource of the root directory.
> > In that case, access right of Authenticated Users was enabled.
> > However, when I tried resource under the user folder, the access
> > right of Authenticated Users is not assigned as follows.
> > 
> > $ icacls '\\kappy3\Share\smb_shared_file.txt'
> > \\kappy3\Share\smb_shared_file.txt NULL SID:(DENY)(Rc,S,X,DC)
> >                                    S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
> >                                    NT AUTHORITY\SYSTEM:(DENY)(S,X)
> >                                    BUILTIN\Administrators:(DENY)(S,X)
> >                                    S-1-5-21-2089672436-4097686843-2104605006-513:(R)
> >                                    NT AUTHORITY\SYSTEM:(RX,W)
> >                                    BUILTIN\Administrators:(RX,W)
> >                                    Everyone:(R)
> > 
> > Successfully processed 1 files; Failed processing 0 files
> > 
> > $ ls -l //kappy3/Share/smb_shared_file.txt
> > -rw-r--r--+ 1 Unknown+User Unknown+Group 0 11月 12 15:50 //kappy3/Share/smb_shared_file.txt
> > 
> > $ /cygdrive/c/Windows/system32/whoami /USER
> > 
> > USER INFORMATION
> > ----------------
> > 
> > User Name    SID
> > ============ ==============================================
> > hp-z230\yano S-1-5-21-1515853178-1880514851-1804962447-1001
> > 
> > 
> > The file server is not in AD and uses offline account in Windows 11
> > (means no Microsoft Account). The client also uses offline account
> > in Windows 10 too.
> > The server and the client use the same user name and password, so
> > authentication is automatically done.
> 
> It's not *that* automatic.  Your user SIDs are still different on
> all standalone machines, so they are still different accounts, SID-wise.
> 
> > In this case, access() of the current cygwin wrongly refers to the
> > permissions for 'others'.
> > 
> > I wonder why the NtAccessCheck() can not handle this situation
> > correctly.
> 
> I really can't tell you, but there's
> https://learn.microsoft.com/en-us/windows/win32/secauthz/how-dacls-control-access-to-an-object
> So, apparently, NtAccessCheck only checks the DACL against the
> SID list in the user token.  In the above case, the ACL does not
> contain your user account, nor one of the groups you're member
> of.  So your account's access is the one for the Everyone entry.
> 
> > The process token does not have the privilege of the
> > SIDs in the server side even though the authentication has been
> > done by 'net use' command?
> 
> This is one of things puzzeling me for a while.  As soon as you
> authenticate to some standalone server for SMB, your access token should
> additionally contain the SID of the server account you authenticated as,
> at least for file access.  But that's not the case.
> 
> I just stumbled over
> https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/access-checks-windows-apis-return-incorrect-results
> 
> It seems to suggest to use AuthZ in a certain way to check permissions.
> Maybe we can replace NtAccessCheck with AuthZ?  If we're lucky, we might
> even get away with the already existing code in the authz_ctx class
> defined in sec/helper.cc.  If not, we may have to add another function
> method calling AuthzInitializeRemoteResourceManager instead of
> AuthzInitializeResourceManager.
> 
> Care to hack up a test?

I'm working on this, however, I stuck on setting the first parameter
of AuthzInitializeRemoteResourceManager(). The most members of structure
AUTHZ_RPC_INIT_INFO_CLIENT are PWSTR, and I have no idea what kind of
string should be set to each member. Especially Endpoint and ServerSpn.

typedef struct _AUTHZ_RPC_INIT_INFO_CLIENT {
  USHORT version;
  PWSTR  ObjectUuid;
  PWSTR  ProtSeq;
  PWSTR  NetworkAddr;
  PWSTR  Endpoint;
  PWSTR  Options;
  PWSTR  ServerSpn;
} AUTHZ_RPC_INIT_INFO_CLIENT, *PAUTHZ_RPC_INIT_INFO_CLIENT;

Do you have any idea?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>


More information about the Cygwin mailing list