DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 4ACBWlPN4130910
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 4ACBWlPN4130910
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=myLNel6n
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 272263858427
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1731411167;
	bh=KZax0PiVOAE0C24zfIO2rJd3lRanht7osrCom33+3i0=;
	h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=myLNel6nygc7rckNwc3NRFlhnSSiZuQzlhqyNP+F2MT6olUHZso0jJQkHEVqgCpON
	 LgopB9gifbGOiBY2LBw/vsiy0MaD6eOToUWZEdV9wtthIV77ESy3Ff5sE/HM07pOzt
	 Thb367yA4TTvE53dvD5pVjGxDhVxlJqx3eM6LLhI=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2253C3858D20
Date: Tue, 12 Nov 2024 12:31:39 +0100
To: cygwin AT cygwin DOT com
Subject: Re: SMBFS mount's file cannot be made executable
Message-ID: <ZzM8myfrcnbo88cO@calimero.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <Zy4ODHHpmZPggGSz AT calimero DOT vinschen DOT de>
 <20241111193152 DOT c3a81044a03ecf2093185166 AT nifty DOT ne DOT jp>
 <ZzHizX_6FXABDPvZ AT calimero DOT vinschen DOT de>
 <20241111201928 DOT 811a2f8f09142b7aa8fe9bdc AT nifty DOT ne DOT jp>
 <20241111203202 DOT b22bcf4f9030aff58299fe0e AT nifty DOT ne DOT jp>
 <20241111204051 DOT 493f12208bb59d62b699dd28 AT nifty DOT ne DOT jp>
 <ZzHyhoWnNvkTQYW- AT calimero DOT vinschen DOT de>
 <20241111211953 DOT 605b186566ce3a44ca929788 AT nifty DOT ne DOT jp>
 <ZzIIO2NxmdYpox2A AT calimero DOT vinschen DOT de>
 <20241112042937 DOT 740185a42d476993b4b1e31c AT nifty DOT ne DOT jp>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20241112042937.740185a42d476993b4b1e31c@nifty.ne.jp>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

On Nov 12 04:29, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 14:35:55 +0100
> Corinna Vinschen wrote:
> > On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 13:03:18 +0100
> > > Corinna Vinschen wrote:
> > > > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > > > Takashi Yano via Cygwin <cygwin AT cygwin DOT com> wrote:
> > > > > > Even with this patch, the file:
> > > > > > 
> > > > > > yano $ touch samba_test_file.txt
> > > > > > yano $ ls -l samba_test_files.txt
> > > > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > > > 
> > > > > Oops! This was wrong.
> > > > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > > > 
> > > > That's Samba for you.  I applied your patch and created a file
> > > > on my share, and the Authenticated Users group was not in the
> > > > resulting ACL.  Only user, group, and Everyone.
> > > > 
> > > > Either way, I don't think this is the right thing to do.  Even if
> > > > the group isn't added to the ACL on my machine, it still loks like
> > > > a security problem in waiting.
> > > 
> > > Isn't this DACL here used only for access_check() (NtAccessCheck())?
> > > In my environment, the Authenticated Users does not appear in the ACL
> > > too.
> > 
> > Oh, yeah, right, *blush*.
> > 
> > But it's still not the right thing to do.  You convert the Samba ACL
> > to a Windows ACL which gives Authenticated Users full permissions.
> > So the check_access() function will return false positives, because
> > every authenticated user is in the Authenticated Users group and has
> > supposedly FILE_ALL_ACCESS.  Even if the actual function (read, write,
> > execute) will fail, the access() function will claim that every
> > authenticated user has RWX perms.
> 
> Ah, right. I have just confirmed that behaviour...
> 
> > AFAICS, the underlying problem is somehow the user mapping.  Did you
> > try with username map = /foo/bar?
> 
> Yes. However, my user name is 'yano' both in server (Linux) and
> client (Windows 10) side. So, I think there is no effect of
> 'username map'.

I have something like corinna = MY_DOMAIN\corinna in there.


Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple