| delorie.com/archives/browse.cgi | search |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 delorie.com 4ABBKTtv3783652 |
| Authentication-Results: | delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com |
| Authentication-Results: | delorie.com; spf=pass smtp.mailfrom=cygwin.com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 delorie.com 4ABBKTtv3783652 |
| Authentication-Results: | delorie.com; |
| dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=eYXo8ThY | |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 429883858C62 |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1731324028; | |
| bh=7MkrC11LJAiFKErjOuiGtZznjmbeq7n0piKAO6RETTo=; | |
| h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: | |
| From; | |
| b=eYXo8ThYgyvnGxWI9RakEuDZcDpRD5sfIbiihXpFtLGeB6RYqVYTZ5Igl62DQ9GbZ | |
| uUmLjgIDlMXmirMMlnUAh2N4TkNQa3WsjVJukLz6V2IPWmjxgY5zyz1g7/qUg0ImJ2 | |
| V7x/BOi7bXCERN0ezoNXQTWLErCBNXgZq5e717VM= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 sourceware.org E2F083858D21 |
| ARC-Filter: | OpenARC Filter v1.0.0 sourceware.org E2F083858D21 |
| ARC-Seal: | i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1731323974; cv=none; |
| b=OzaJw+j0tr6ISDwzrbiIsysOI6DOOHQ/jqUiYEIjfbzE0O5Bsft5hkRd/04hOp1iz6IAB8ChtcjIb7yYpUXFfh5guOwI8oEgn0CLFsEracCODE4WrWmVelkB3LKX6zM4gqWJOGsVzh9cg95PRZoIx9+wyP2L3rhmf+teX6uVlUw= | |
| ARC-Message-Signature: | i=1; a=rsa-sha256; d=sourceware.org; s=key; |
| t=1731323974; c=relaxed/simple; | |
| bh=bXY4urEC39sHhgmEhjxhXlYa7PDE15EqB6f5oJAcmzs=; | |
| h=Date:From:To:Subject:Message-Id:Mime-Version:DKIM-Signature; | |
| b=E9mfW55bFtyILxBfU5sywqMcJiMPWoWrrKq/F6iyBocuJs2B34wpzVhm/0qPSixqOq2j6CpdbrtEm9s6KxHL+/qHz9VJWnJvgrIh0Dgkbft08WAuX+OnwtvcowegTmN9UwKLIRdsSzUWp7V0OKk42aup0j8jOYbpGTfcDwMO6Wc= | |
| ARC-Authentication-Results: | i=1; server2.sourceware.org |
| Date: | Mon, 11 Nov 2024 20:19:28 +0900 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: SMBFS mount's file cannot be made executable |
| Message-Id: | <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp> |
| In-Reply-To: | <ZzHizX_6FXABDPvZ@calimero.vinschen.de> |
| References: | <BL0PR0901MB430827F1A0668E468B498FBBA5D70 AT BL0PR0901MB4308 DOT namprd09 DOT prod DOT outlook DOT com> |
| <20241108205109 DOT 55f99e2d172b9fc87e92ae67 AT nifty DOT ne DOT jp> | |
| <Zy4ODHHpmZPggGSz AT calimero DOT vinschen DOT de> | |
| <20241111193152 DOT c3a81044a03ecf2093185166 AT nifty DOT ne DOT jp> | |
| <ZzHizX_6FXABDPvZ AT calimero DOT vinschen DOT de> | |
| X-Mailer: | Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-mingw32) |
| Mime-Version: | 1.0 |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.30 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Takashi Yano via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | Takashi Yano <takashi DOT yano AT nifty DOT ne DOT jp> |
| Errors-To: | cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com> |
On Mon, 11 Nov 2024 11:56:13 +0100
Corinna Vinschen wrote:
> On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > On Fri, 8 Nov 2024 14:11:40 +0100
> > Corinna Vinschen wrote:
> > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > and for the share itself, check that
> > >
> > > read only = No
> > > vfs objects = acl_xattr
> > ^^^^^^^^^^^^^^^^^^^^^^^
> > Thanks! This makes things better.
> > At least x permissions are set to executable compiled by gcc.
> >
> > However, something is still wrong in my environment....
> > Others permission seems to be reffered in some cases.
>
> I don't understand. Please run icacls for a just created file on your
> Samba share (without the below patch) as well as Windows' `whoami /all'.
$ touch samba_test_file.txt
$ icacls samba_test_file.txt
samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
S-1-5-21-479325430-3041864944-504445739-513:(R)
Everyone:(R)
This seems reasonable to me.
For Windows 11 share, the result is
samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
NT AUTHORITY\Authenticated Users:(DENY)(S,X)
NT AUTHORITY\SYSTEM:(DENY)(S,X)
BUILTIN\Administrators:(DENY)(S,X)
BUILTIN\Users:(DENY)(S,X)
S-1-5-21-2089672436-4097686843-2104605006-513:(RX)
NT AUTHORITY\Authenticated Users:(RX,W)
NT AUTHORITY\SYSTEM:(RX,W)
BUILTIN\Administrators:(RX,W)
BUILTIN\Users:(RX)
Everyone:(R)
> > > map acl inherit = Yes
> > > store dos attributes = Yes
> > >
> > > Not sure if that helps, but I don't have any other idea. I'm running
> > > Samba in an AD environment and "it works for me" :-P
> >
> > I looked into this probelm and found the NtAccessCheck() fails
> > for my samba environment.
> >
> > It seems that next patch solves this.
> >
> > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> > index d5e39d281..c519af6e0 100644
> > --- a/winsup/cygwin/sec/base.cc
> > +++ b/winsup/cygwin/sec/base.cc
> > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> > ace->Header.AceFlags))
> > return;
> > }
> > + /* Samba without AD seems to need this. */
> > + add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> > + well_known_authenticated_users_sid, acl_len, 0);
> > acl->AclSize = acl_len;
> >
> > RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> >
> > What do you think?
>
> Giving all authenticated users full permissions to all your files?
> Unconditionally? That sounds like opening a security hole wide open.
Does this really mean such thing? Windows 11 share reports here,
access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?
--
Takashi Yano <takashi DOT yano AT nifty DOT ne DOT jp>
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |