DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 4ABDaHeQ3815788 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 4ABDaHeQ3815788 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=R/OnTSF9 X-Recipient: archive-cygwin@delorie.com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4285C3858C98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1731332176; bh=U+mMzlimTjyh0WrWRJ8AID2VZ7jQXYcg8HKbgdCwZcM=; h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=R/OnTSF9Ic+j8hD1gHjEtAXaRpIU7GK7BFmkdUxpC8N666ieDEpx8By+ugmo8i1ft 2kgs0bweJEVRPX8PbN+2iW44eVeQYl+krfV98ivbR161hDisabALYdpMdRsMvUIDju 6rz3KxSDIRxXpe0t3SV+cHEiUABbPJHQhD0UhArg= X-Original-To: cygwin@cygwin.com Delivered-To: cygwin@cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5F2B43858D21 Date: Mon, 11 Nov 2024 14:35:55 +0100 To: cygwin@cygwin.com Subject: Re: SMBFS mount's file cannot be made executable Message-ID: Mail-Followup-To: cygwin@cygwin.com References: <20241108205109.55f99e2d172b9fc87e92ae67@nifty.ne.jp> <20241111193152.c3a81044a03ecf2093185166@nifty.ne.jp> <20241111201928.811a2f8f09142b7aa8fe9bdc@nifty.ne.jp> <20241111203202.b22bcf4f9030aff58299fe0e@nifty.ne.jp> <20241111204051.493f12208bb59d62b699dd28@nifty.ne.jp> <20241111211953.605b186566ce3a44ca929788@nifty.ne.jp> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20241111211953.605b186566ce3a44ca929788@nifty.ne.jp> X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Corinna Vinschen via Cygwin Reply-To: cygwin@cygwin.com Cc: Corinna Vinschen Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces~archive-cygwin=delorie.com@cygwin.com Sender: "Cygwin" On Nov 11 21:19, Takashi Yano via Cygwin wrote: > On Mon, 11 Nov 2024 13:03:18 +0100 > Corinna Vinschen wrote: > > On Nov 11 20:40, Takashi Yano via Cygwin wrote: > > > On Mon, 11 Nov 2024 20:32:02 +0900 > > > Takashi Yano via Cygwin wrote: > > > > Even with this patch, the file: > > > > > > > > yano $ touch samba_test_file.txt > > > > yano $ ls -l samba_test_files.txt > > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt > > > > > > Oops! This was wrong. > > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt > > > > That's Samba for you. I applied your patch and created a file > > on my share, and the Authenticated Users group was not in the > > resulting ACL. Only user, group, and Everyone. > > > > Either way, I don't think this is the right thing to do. Even if > > the group isn't added to the ACL on my machine, it still loks like > > a security problem in waiting. > > Isn't this DACL here used only for access_check() (NtAccessCheck())? > In my environment, the Authenticated Users does not appear in the ACL > too. Oh, yeah, right, *blush*. But it's still not the right thing to do. You convert the Samba ACL to a Windows ACL which gives Authenticated Users full permissions. So the check_access() function will return false positives, because every authenticated user is in the Authenticated Users group and has supposedly FILE_ALL_ACCESS. Even if the actual function (read, write, execute) will fail, the access() function will claim that every authenticated user has RWX perms. AFAICS, the underlying problem is somehow the user mapping. Did you try with username map = /foo/bar? Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple