DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 4AJKxWsU3297278
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 4AJKxWsU3297278
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=knFAnatS
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CEEFA385840F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1732049970;
	bh=OTP64wQlbU8tThAEUZ79x/Jn8OkFEJK7zj48g8jJfrA=;
	h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=knFAnatSrERBEiF/k3eoF2Bmm7ir7GzqpetZQ0uxSNK9Y0M1IJgNJPyg6UpYQUEkR
	 rcShffb9YD6i166sWNNVhovqc0kVs0ximBj7xBlZ9MUxoNSI1OhBtWGCyENbx+JyUx
	 k/eFDmBLO4jqVBBUCYUkETdsuB05Y0MG8Ku5wQLM=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2300B3858D34
Date: Tue, 19 Nov 2024 21:54:44 +0100
To: cygwin AT cygwin DOT com
Subject: Re: SMBFS mount's file cannot be made executable
Message-ID: <Zzz7FJim9kIiqjyy@calimero.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20241112175427 DOT 750ae77a8086594a765862c5 AT nifty DOT ne DOT jp>
 <ZzNCXz3o9k40U9zA AT calimero DOT vinschen DOT de>
 <20241113181755 DOT 02289e8e8d9af7e19e8f4387 AT nifty DOT ne DOT jp>
 <CANV9t=SvYedzG-LmECwdT7kjipOyhgwsZ1yucnTm8mWMnNkJVw AT mail DOT gmail DOT com>
 <20241114003740 DOT e573d7ec79d35da76225c9f1 AT nifty DOT ne DOT jp>
 <CANV9t=TLh8xD7KBsF-MucZWNjP-L0KE04xUv2-2e=Z5fXTjk=w AT mail DOT gmail DOT com>
 <20241114010807 DOT 99f46760b2240d472440c329 AT nifty DOT ne DOT jp>
 <20241116002122 DOT 3f4fd325a497eb4261ad80f4 AT nifty DOT ne DOT jp>
 <ZztqpBESgcTXcd3d AT calimero DOT vinschen DOT de>
 <20241119175806 DOT 321cdb7e65a727a2eb58c8a6 AT nifty DOT ne DOT jp>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20241119175806.321cdb7e65a727a2eb58c8a6@nifty.ne.jp>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

On Nov 19 17:58, Takashi Yano via Cygwin wrote:
> On Mon, 18 Nov 2024 17:26:12 +0100
> Corinna Vinschen wrote:
> > We can safely assume that the current user is already authorized on the
> > SMB server.  So... shouldn't AuthzInitializeResourceManager be
> > sufficient and the code from class authz_ctx already does what we want?
> > We may just have to use in in place of calling NtCheckAccess(),
> > maybe with a tweak or two...
> 
> I already tried AuthzInitializeResourceManager(), but the result
> was the same with current implementation...

So you tried to call authz_get_user_attribute()?

> BTW, I come up with another implementation. This make the things
> much simpler. What do you think of the patch attached?

> [...]
>  int
>  check_file_access (path_conv &pc, int flags, bool effective)
>  {
> @@ -711,10 +618,14 @@ check_file_access (path_conv &pc, int flags, bool effective)
>      desired |= FILE_EXECUTE;
>    if (!get_file_sd (pc.handle (), pc, sd, false))
>      {
> -      /* Tweak Samba security descriptor as necessary. */
> -      if (pc.fs_is_samba ())
> -	convert_samba_sd (sd);
> -      ret = check_access (sd, file_mapping, desired, flags, effective);
> +      HANDLE h = CreateFileW (pc.get_nt_native_path ()->Buffer, desired,
> +			      0, NULL, OPEN_EXISTING,
> +			      FILE_FLAG_BACKUP_SEMANTICS, NULL);
> +      if (h != INVALID_HANDLE_VALUE)
> +	{
> +	  CloseHandle (h);
> +	  ret = 0;
> +	}
>      }
>    debug_printf ("flags %y, ret %d", flags, ret);
>    return ret;

No, we can't do that, it's too simple.

Just kidding.

This is so simple, I'm puzzled we never tried that before.  Or, if we
did, it's a loooong time ago...

If we really do this, we don't even need to call get_file_sd().  And it
should use NtOpenFile and reopen semantics i.e.  pc.init_reopen_attr().
Also, the sharing flags should allow all access.  And the `effective'
argument needs to be taken into account.

I wonder what side effects this has, but I can't think of any...

And I don't see any way around that, actually.  {Nt}AccessCheck
as well as AuthzAccessCheck(*) use a token/sid context and compare
that against a security descriptor.  Both don't care where the
SD is coming from, so the fact that this is coming from an
authenticated connection to a remote SMB server is just lost on them.
There's no simple CheckFileAccess function in the Windows API I'm
aware of :(


Thanks,
Corinna

(*) I wonder if AuthzAccessCheck isn't implemented using NtAccessCheck
    under the hood...

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple