delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2024/11/12/03:56:25

DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 4AC8uOON4088599
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 4AC8uOON4088599
Authentication-Results: delorie.com;
dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=WDR1yeTD
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 14D573858416
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
s=default; t=1731401783;
bh=tXPPxcvuvo/t6NeIAtFft44GdVEU+2t4kkldtY5aoCo=;
h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
From;
b=WDR1yeTD6K3/XoXHOOfrHHRX3BkfrwFmPkC4t9TRjKkYHZdcAd6Dp0zkzcU1UP6YG
5gk+TKs+Ixn0+rTSCVS5s1rK0Glg9GotNmSMLulB/8qWYW5li9cmCvQ2ndfHbetywi
3eOIRaLY50mC1Y9myuiYxYHDSZeJZxKbR+8Cc14Q=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 24C353858CDB
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 24C353858CDB
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1731401683; cv=none;
b=t6fcNi37mCncq67XoQsgz5bDlZH2jaOVvXD+iua7UpU9EzxTeY7168hKfMNHIQ98ie1cLjjUIBjvx8Vi3b57AtSxd5vr3feMDi6FXgidKHw3S2wbrxtlah13I45rDwbFBQKScjpqbeyqZrjMbGo4nnFPjCCsT792UhOBjlsOh0k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
t=1731401683; c=relaxed/simple;
bh=AsPS8qM+SBiUEBATHy5H8GFYCzYkdqTBVy2A4YSRpW0=;
h=Date:From:To:Subject:Message-Id:Mime-Version:DKIM-Signature;
b=kMJQmVd9EhJyumTVxEu/qLoJQjX5TERpw16FKRUXXHYXC9+Iu2oDdAqCxPpRLSSJ5rOw3pQSJI9AceW+F8ULUBj6nTgSSkB+bWL1Vb2aN2UV6hZ3WwKG56rqr+7r111A8Q7fPeiawi2qqErfjja+8GHGQwAQEJxm5hZBy0r+ugE=
ARC-Authentication-Results: i=1; server2.sourceware.org
Date: Tue, 12 Nov 2024 17:54:27 +0900
To: cygwin AT cygwin DOT com
Subject: Re: SMBFS mount's file cannot be made executable
Message-Id: <20241112175427.750ae77a8086594a765862c5@nifty.ne.jp>
In-Reply-To: <20241112042937.740185a42d476993b4b1e31c@nifty.ne.jp>
References: <BL0PR0901MB430827F1A0668E468B498FBBA5D70 AT BL0PR0901MB4308 DOT namprd09 DOT prod DOT outlook DOT com>
<20241108205109 DOT 55f99e2d172b9fc87e92ae67 AT nifty DOT ne DOT jp>
<Zy4ODHHpmZPggGSz AT calimero DOT vinschen DOT de>
<20241111193152 DOT c3a81044a03ecf2093185166 AT nifty DOT ne DOT jp>
<ZzHizX_6FXABDPvZ AT calimero DOT vinschen DOT de>
<20241111201928 DOT 811a2f8f09142b7aa8fe9bdc AT nifty DOT ne DOT jp>
<20241111203202 DOT b22bcf4f9030aff58299fe0e AT nifty DOT ne DOT jp>
<20241111204051 DOT 493f12208bb59d62b699dd28 AT nifty DOT ne DOT jp>
<ZzHyhoWnNvkTQYW- AT calimero DOT vinschen DOT de>
<20241111211953 DOT 605b186566ce3a44ca929788 AT nifty DOT ne DOT jp>
<ZzIIO2NxmdYpox2A AT calimero DOT vinschen DOT de>
<20241112042937 DOT 740185a42d476993b4b1e31c AT nifty DOT ne DOT jp>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-mingw32)
Mime-Version: 1.0
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Takashi Yano via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Takashi Yano <takashi DOT yano AT nifty DOT ne DOT jp>
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com> 

On Tue, 12 Nov 2024 04:29:37 +0900
Takashi Yano wrote:
> On Mon, 11 Nov 2024 14:35:55 +0100
> Corinna Vinschen wrote:
> > On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 13:03:18 +0100
> > > Corinna Vinschen wrote:
> > > > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > > > Takashi Yano via Cygwin <cygwin AT cygwin DOT com> wrote:
> > > > > > Even with this patch, the file:
> > > > > > 
> > > > > > yano $ touch samba_test_file.txt
> > > > > > yano $ ls -l samba_test_files.txt
> > > > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > > > 
> > > > > Oops! This was wrong.
> > > > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > > > 
> > > > That's Samba for you.  I applied your patch and created a file
> > > > on my share, and the Authenticated Users group was not in the
> > > > resulting ACL.  Only user, group, and Everyone.
> > > > 
> > > > Either way, I don't think this is the right thing to do.  Even if
> > > > the group isn't added to the ACL on my machine, it still loks like
> > > > a security problem in waiting.
> > > 
> > > Isn't this DACL here used only for access_check() (NtAccessCheck())?
> > > In my environment, the Authenticated Users does not appear in the ACL
> > > too.
> > 
> > Oh, yeah, right, *blush*.
> > 
> > But it's still not the right thing to do.  You convert the Samba ACL
> > to a Windows ACL which gives Authenticated Users full permissions.
> > So the check_access() function will return false positives, because
> > every authenticated user is in the Authenticated Users group and has
> > supposedly FILE_ALL_ACCESS.  Even if the actual function (read, write,
> > execute) will fail, the access() function will claim that every
> > authenticated user has RWX perms.
> 
> Ah, right. I have just confirmed that behaviour...
> 
> > AFAICS, the underlying problem is somehow the user mapping.  Did you
> > try with username map = /foo/bar?
> 
> Yes. However, my user name is 'yano' both in server (Linux) and
> client (Windows 10) side. So, I think there is no effect of
> 'username map'.

I noticed that the probelm is not only in samba share, but
also in Windows share.

Yesterday, I used shared resource of the root directory.
In that case, access right of Authenticated Users was enabled.
However, when I tried resource under the user folder, the access
right of Authenticated Users is not assigned as follows.

$ icacls '\\kappy3\Share\smb_shared_file.txt'
\\kappy3\Share\smb_shared_file.txt NULL SID:(DENY)(Rc,S,X,DC)
                                   S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
                                   NT AUTHORITY\SYSTEM:(DENY)(S,X)
                                   BUILTIN\Administrators:(DENY)(S,X)
                                   S-1-5-21-2089672436-4097686843-2104605006-513:(R)
                                   NT AUTHORITY\SYSTEM:(RX,W)
                                   BUILTIN\Administrators:(RX,W)
                                   Everyone:(R)

Successfully processed 1 files; Failed processing 0 files

$ ls -l //kappy3/Share/smb_shared_file.txt
-rw-r--r--+ 1 Unknown+User Unknown+Group 0 11$B7n(B 12 15:50 //kappy3/Share/smb_shared_file.txt

$ /cygdrive/c/Windows/system32/whoami /USER

USER INFORMATION
----------------

User Name    SID
============ ==============================================
hp-z230\yano S-1-5-21-1515853178-1880514851-1804962447-1001


The file server is not in AD and uses offline account in Windows 11
(means no Microsoft Account). The client also uses offline account
in Windows 10 too.
The server and the client use the same user name and password, so
authentication is automatically done.

In this case, access() of the current cygwin wrongly refers to the
permissions for 'others'.

I wonder why the NtAccessCheck() can not handle this situation
correctly. The process token does not have the privilege of the
SIDs in the server side even though the authentication has been
done by 'net use' command?

-- 
Takashi Yano <takashi DOT yano AT nifty DOT ne DOT jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019