| delorie.com/archives/browse.cgi | search |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 delorie.com 4AJKxWsU3297278 |
| Authentication-Results: | delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com |
| Authentication-Results: | delorie.com; spf=pass smtp.mailfrom=cygwin.com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 delorie.com 4AJKxWsU3297278 |
| Authentication-Results: | delorie.com; |
| dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=knFAnatS | |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org CEEFA385840F |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1732049970; | |
| bh=OTP64wQlbU8tThAEUZ79x/Jn8OkFEJK7zj48g8jJfrA=; | |
| h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: | |
| From; | |
| b=knFAnatSrERBEiF/k3eoF2Bmm7ir7GzqpetZQ0uxSNK9Y0M1IJgNJPyg6UpYQUEkR | |
| rcShffb9YD6i166sWNNVhovqc0kVs0ximBj7xBlZ9MUxoNSI1OhBtWGCyENbx+JyUx | |
| k/eFDmBLO4jqVBBUCYUkETdsuB05Y0MG8Ku5wQLM= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 2300B3858D34 |
| Date: | Tue, 19 Nov 2024 21:54:44 +0100 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: SMBFS mount's file cannot be made executable |
| Message-ID: | <Zzz7FJim9kIiqjyy@calimero.vinschen.de> |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <20241112175427 DOT 750ae77a8086594a765862c5 AT nifty DOT ne DOT jp> |
| <ZzNCXz3o9k40U9zA AT calimero DOT vinschen DOT de> | |
| <20241113181755 DOT 02289e8e8d9af7e19e8f4387 AT nifty DOT ne DOT jp> | |
| <CANV9t=SvYedzG-LmECwdT7kjipOyhgwsZ1yucnTm8mWMnNkJVw AT mail DOT gmail DOT com> | |
| <20241114003740 DOT e573d7ec79d35da76225c9f1 AT nifty DOT ne DOT jp> | |
| <CANV9t=TLh8xD7KBsF-MucZWNjP-L0KE04xUv2-2e=Z5fXTjk=w AT mail DOT gmail DOT com> | |
| <20241114010807 DOT 99f46760b2240d472440c329 AT nifty DOT ne DOT jp> | |
| <20241116002122 DOT 3f4fd325a497eb4261ad80f4 AT nifty DOT ne DOT jp> | |
| <ZztqpBESgcTXcd3d AT calimero DOT vinschen DOT de> | |
| <20241119175806 DOT 321cdb7e65a727a2eb58c8a6 AT nifty DOT ne DOT jp> | |
| MIME-Version: | 1.0 |
| In-Reply-To: | <20241119175806.321cdb7e65a727a2eb58c8a6@nifty.ne.jp> |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.30 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | cygwin AT cygwin DOT com |
| Cc: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| Errors-To: | cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com> |
On Nov 19 17:58, Takashi Yano via Cygwin wrote:
> On Mon, 18 Nov 2024 17:26:12 +0100
> Corinna Vinschen wrote:
> > We can safely assume that the current user is already authorized on the
> > SMB server. So... shouldn't AuthzInitializeResourceManager be
> > sufficient and the code from class authz_ctx already does what we want?
> > We may just have to use in in place of calling NtCheckAccess(),
> > maybe with a tweak or two...
>
> I already tried AuthzInitializeResourceManager(), but the result
> was the same with current implementation...
So you tried to call authz_get_user_attribute()?
> BTW, I come up with another implementation. This make the things
> much simpler. What do you think of the patch attached?
> [...]
> int
> check_file_access (path_conv &pc, int flags, bool effective)
> {
> @@ -711,10 +618,14 @@ check_file_access (path_conv &pc, int flags, bool effective)
> desired |= FILE_EXECUTE;
> if (!get_file_sd (pc.handle (), pc, sd, false))
> {
> - /* Tweak Samba security descriptor as necessary. */
> - if (pc.fs_is_samba ())
> - convert_samba_sd (sd);
> - ret = check_access (sd, file_mapping, desired, flags, effective);
> + HANDLE h = CreateFileW (pc.get_nt_native_path ()->Buffer, desired,
> + 0, NULL, OPEN_EXISTING,
> + FILE_FLAG_BACKUP_SEMANTICS, NULL);
> + if (h != INVALID_HANDLE_VALUE)
> + {
> + CloseHandle (h);
> + ret = 0;
> + }
> }
> debug_printf ("flags %y, ret %d", flags, ret);
> return ret;
No, we can't do that, it's too simple.
Just kidding.
This is so simple, I'm puzzled we never tried that before. Or, if we
did, it's a loooong time ago...
If we really do this, we don't even need to call get_file_sd(). And it
should use NtOpenFile and reopen semantics i.e. pc.init_reopen_attr().
Also, the sharing flags should allow all access. And the `effective'
argument needs to be taken into account.
I wonder what side effects this has, but I can't think of any...
And I don't see any way around that, actually. {Nt}AccessCheck
as well as AuthzAccessCheck(*) use a token/sid context and compare
that against a security descriptor. Both don't care where the
SD is coming from, so the fact that this is coming from an
authenticated connection to a remote SMB server is just lost on them.
There's no simple CheckFileAccess function in the Windows API I'm
aware of :(
Thanks,
Corinna
(*) I wonder if AuthzAccessCheck isn't implemented using NtAccessCheck
under the hood...
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |