DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 4ABAubSm3777534 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 4ABAubSm3777534 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=qqDT8HvK X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 313043858C98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1731322596; bh=OYsBzFLFMAAgAbaVOC6cWKG415qEvKTOTQXecIrX43k=; h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=qqDT8HvKvqcJQMTdlxevufBm0dtK55Q5ec5n/Tc+yr4l0x8le0zHPR570YJUrVL/z XmmHR4KOZ9KvsOqOivPYEuhTxkkNBR/X3vPHW6OV2OkgjXfISUW7FhAF32IkWG84bo IAJ8k7Memc4NR70nh+gzLTEMTR3NHFhKIvbCTVIY= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org F39F33858D28 Date: Mon, 11 Nov 2024 11:56:13 +0100 To: cygwin AT cygwin DOT com Subject: Re: SMBFS mount's file cannot be made executable Message-ID: Mail-Followup-To: cygwin AT cygwin DOT com References: <20241108205109 DOT 55f99e2d172b9fc87e92ae67 AT nifty DOT ne DOT jp> <20241111193152 DOT c3a81044a03ecf2093185166 AT nifty DOT ne DOT jp> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20241111193152.c3a81044a03ecf2093185166@nifty.ne.jp> X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Corinna Vinschen via Cygwin Reply-To: cygwin AT cygwin DOT com Cc: Corinna Vinschen Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" On Nov 11 19:31, Takashi Yano via Cygwin wrote: > On Fri, 8 Nov 2024 14:11:40 +0100 > Corinna Vinschen wrote: > > If the server is a Samba share, check if `force unknown acl user = yes' > > and for the share itself, check that > > > > read only = No > > vfs objects = acl_xattr > ^^^^^^^^^^^^^^^^^^^^^^^ > Thanks! This makes things better. > At least x permissions are set to executable compiled by gcc. > > However, something is still wrong in my environment.... > Others permission seems to be reffered in some cases. I don't understand. Please run icacls for a just created file on your Samba share (without the below patch) as well as Windows' `whoami /all'. > > map acl inherit = Yes > > store dos attributes = Yes > > > > Not sure if that helps, but I don't have any other idea. I'm running > > Samba in an AD environment and "it works for me" :-P > > I looked into this probelm and found the NtAccessCheck() fails > for my samba environment. > > It seems that next patch solves this. > > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc > index d5e39d281..c519af6e0 100644 > --- a/winsup/cygwin/sec/base.cc > +++ b/winsup/cygwin/sec/base.cc > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret) > ace->Header.AceFlags)) > return; > } > + /* Samba without AD seems to need this. */ > + add_access_allowed_ace (acl, FILE_ALL_ACCESS, > + well_known_authenticated_users_sid, acl_len, 0); > acl->AclSize = acl_len; > > RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION); > > What do you think? Giving all authenticated users full permissions to all your files? Unconditionally? That sounds like opening a security hole wide open. Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple