| delorie.com/archives/browse.cgi | search |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 delorie.com 4ABAubSm3777534 |
| Authentication-Results: | delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com |
| Authentication-Results: | delorie.com; spf=pass smtp.mailfrom=cygwin.com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 delorie.com 4ABAubSm3777534 |
| Authentication-Results: | delorie.com; |
| dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=qqDT8HvK | |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 313043858C98 |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1731322596; | |
| bh=OYsBzFLFMAAgAbaVOC6cWKG415qEvKTOTQXecIrX43k=; | |
| h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: | |
| From; | |
| b=qqDT8HvKvqcJQMTdlxevufBm0dtK55Q5ec5n/Tc+yr4l0x8le0zHPR570YJUrVL/z | |
| XmmHR4KOZ9KvsOqOivPYEuhTxkkNBR/X3vPHW6OV2OkgjXfISUW7FhAF32IkWG84bo | |
| IAJ8k7Memc4NR70nh+gzLTEMTR3NHFhKIvbCTVIY= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org F39F33858D28 |
| Date: | Mon, 11 Nov 2024 11:56:13 +0100 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: SMBFS mount's file cannot be made executable |
| Message-ID: | <ZzHizX_6FXABDPvZ@calimero.vinschen.de> |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <BL0PR0901MB430827F1A0668E468B498FBBA5D70 AT BL0PR0901MB4308 DOT namprd09 DOT prod DOT outlook DOT com> |
| <20241108205109 DOT 55f99e2d172b9fc87e92ae67 AT nifty DOT ne DOT jp> | |
| <Zy4ODHHpmZPggGSz AT calimero DOT vinschen DOT de> | |
| <20241111193152 DOT c3a81044a03ecf2093185166 AT nifty DOT ne DOT jp> | |
| MIME-Version: | 1.0 |
| In-Reply-To: | <20241111193152.c3a81044a03ecf2093185166@nifty.ne.jp> |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.30 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | cygwin AT cygwin DOT com |
| Cc: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| Errors-To: | cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com> |
On Nov 11 19:31, Takashi Yano via Cygwin wrote: > On Fri, 8 Nov 2024 14:11:40 +0100 > Corinna Vinschen wrote: > > If the server is a Samba share, check if `force unknown acl user = yes' > > and for the share itself, check that > > > > read only = No > > vfs objects = acl_xattr > ^^^^^^^^^^^^^^^^^^^^^^^ > Thanks! This makes things better. > At least x permissions are set to executable compiled by gcc. > > However, something is still wrong in my environment.... > Others permission seems to be reffered in some cases. I don't understand. Please run icacls for a just created file on your Samba share (without the below patch) as well as Windows' `whoami /all'. > > map acl inherit = Yes > > store dos attributes = Yes > > > > Not sure if that helps, but I don't have any other idea. I'm running > > Samba in an AD environment and "it works for me" :-P > > I looked into this probelm and found the NtAccessCheck() fails > for my samba environment. > > It seems that next patch solves this. > > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc > index d5e39d281..c519af6e0 100644 > --- a/winsup/cygwin/sec/base.cc > +++ b/winsup/cygwin/sec/base.cc > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret) > ace->Header.AceFlags)) > return; > } > + /* Samba without AD seems to need this. */ > + add_access_allowed_ace (acl, FILE_ALL_ACCESS, > + well_known_authenticated_users_sid, acl_len, 0); > acl->AclSize = acl_len; > > RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION); > > What do you think? Giving all authenticated users full permissions to all your files? Unconditionally? That sounds like opening a security hole wide open. Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |