DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 4ABDaHeQ3815788
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 4ABDaHeQ3815788
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=R/OnTSF9
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4285C3858C98
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1731332176;
	bh=U+mMzlimTjyh0WrWRJ8AID2VZ7jQXYcg8HKbgdCwZcM=;
	h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=R/OnTSF9Ic+j8hD1gHjEtAXaRpIU7GK7BFmkdUxpC8N666ieDEpx8By+ugmo8i1ft
	 2kgs0bweJEVRPX8PbN+2iW44eVeQYl+krfV98ivbR161hDisabALYdpMdRsMvUIDju
	 6rz3KxSDIRxXpe0t3SV+cHEiUABbPJHQhD0UhArg=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5F2B43858D21
Date: Mon, 11 Nov 2024 14:35:55 +0100
To: cygwin AT cygwin DOT com
Subject: Re: SMBFS mount's file cannot be made executable
Message-ID: <ZzIIO2NxmdYpox2A@calimero.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <BL0PR0901MB430827F1A0668E468B498FBBA5D70 AT BL0PR0901MB4308 DOT namprd09 DOT prod DOT outlook DOT com>
 <20241108205109 DOT 55f99e2d172b9fc87e92ae67 AT nifty DOT ne DOT jp>
 <Zy4ODHHpmZPggGSz AT calimero DOT vinschen DOT de>
 <20241111193152 DOT c3a81044a03ecf2093185166 AT nifty DOT ne DOT jp>
 <ZzHizX_6FXABDPvZ AT calimero DOT vinschen DOT de>
 <20241111201928 DOT 811a2f8f09142b7aa8fe9bdc AT nifty DOT ne DOT jp>
 <20241111203202 DOT b22bcf4f9030aff58299fe0e AT nifty DOT ne DOT jp>
 <20241111204051 DOT 493f12208bb59d62b699dd28 AT nifty DOT ne DOT jp>
 <ZzHyhoWnNvkTQYW- AT calimero DOT vinschen DOT de>
 <20241111211953 DOT 605b186566ce3a44ca929788 AT nifty DOT ne DOT jp>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20241111211953.605b186566ce3a44ca929788@nifty.ne.jp>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 13:03:18 +0100
> Corinna Vinschen wrote:
> > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > Takashi Yano via Cygwin <cygwin AT cygwin DOT com> wrote:
> > > > Even with this patch, the file:
> > > > 
> > > > yano $ touch samba_test_file.txt
> > > > yano $ ls -l samba_test_files.txt
> > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > 
> > > Oops! This was wrong.
> > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > 
> > That's Samba for you.  I applied your patch and created a file
> > on my share, and the Authenticated Users group was not in the
> > resulting ACL.  Only user, group, and Everyone.
> > 
> > Either way, I don't think this is the right thing to do.  Even if
> > the group isn't added to the ACL on my machine, it still loks like
> > a security problem in waiting.
> 
> Isn't this DACL here used only for access_check() (NtAccessCheck())?
> In my environment, the Authenticated Users does not appear in the ACL
> too.

Oh, yeah, right, *blush*.

But it's still not the right thing to do.  You convert the Samba ACL
to a Windows ACL which gives Authenticated Users full permissions.
So the check_access() function will return false positives, because
every authenticated user is in the Authenticated Users group and has
supposedly FILE_ALL_ACCESS.  Even if the actual function (read, write,
execute) will fail, the access() function will claim that every
authenticated user has RWX perms.

AFAICS, the underlying problem is somehow the user mapping.  Did you
try with username map = /foo/bar?


Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple