DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 4B9BCPC7787812
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 4B9BCPC7787812
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=jaRRrwcl
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2C1D43858290
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1733742743;
	bh=sGEE7PukpSJ7LM2JzQ0bZPCi5+0xdGzc9m6e7luAPlc=;
	h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=jaRRrwclNz+3bEsjh3sAhQDKuDrkGKPZZi9aHSqeWlENu9mBqcAnBk7SZqz3uoJVK
	 t1ezKs5sSsIKFZRGIIZH5mn4lIwdWeeSd5VE53X4CaebSuLp02w2N0SFpcGCY7Gk2b
	 y0azjKUcH8b80gwUKegCUe36d/0Y3rGweEMEBQKc=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 730133858D34
Date: Mon, 9 Dec 2024 12:11:56 +0100
To: cygwin AT cygwin DOT com
Subject: Re: SMBFS mount's file cannot be made executable
Message-ID: <Z1bQfIgv7MIDL1fB@calimero.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20241113181755 DOT 02289e8e8d9af7e19e8f4387 AT nifty DOT ne DOT jp>
 <CANV9t=SvYedzG-LmECwdT7kjipOyhgwsZ1yucnTm8mWMnNkJVw AT mail DOT gmail DOT com>
 <20241114003740 DOT e573d7ec79d35da76225c9f1 AT nifty DOT ne DOT jp>
 <CANV9t=TLh8xD7KBsF-MucZWNjP-L0KE04xUv2-2e=Z5fXTjk=w AT mail DOT gmail DOT com>
 <20241114010807 DOT 99f46760b2240d472440c329 AT nifty DOT ne DOT jp>
 <20241116002122 DOT 3f4fd325a497eb4261ad80f4 AT nifty DOT ne DOT jp>
 <ZztqpBESgcTXcd3d AT calimero DOT vinschen DOT de>
 <20241119175806 DOT 321cdb7e65a727a2eb58c8a6 AT nifty DOT ne DOT jp>
 <Zzz7FJim9kIiqjyy AT calimero DOT vinschen DOT de>
 <20241208081338 DOT e097563889a03619fc467930 AT nifty DOT ne DOT jp>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20241208081338.e097563889a03619fc467930@nifty.ne.jp>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

On Dec  8 08:13, Takashi Yano via Cygwin wrote:
> On Tue, 19 Nov 2024 21:54:44 +0100
> Corinna Vinschen wrote:
> > No, we can't do that, it's too simple.
> > 
> > Just kidding.
> > 
> > This is so simple, I'm puzzled we never tried that before.  Or, if we
> > did, it's a loooong time ago...
> > 
> > If we really do this, we don't even need to call get_file_sd().  And it
> > should use NtOpenFile and reopen semantics i.e.  pc.init_reopen_attr().
> > Also, the sharing flags should allow all access.  And the `effective'
> > argument needs to be taken into account.
> 
> I have a question. What pc.init_reopen_attr() is for? I tested with
> pc.get_object_attr() instead, it works.

init_reopen_attr() uses the "open by handle" functionality as in the
Win32 API ReOpenFile().  It only does so if the filesystem supports it.
Samba usually does, so it's not clear to me why pc.init_reopen_attr()
fails for you.

> What handle should I pass to pc.init_reopen_attr()?

You could pass pc.handle().  Is pc.handle() in this scenario NULL,
perhaps?

> @@ -709,12 +615,44 @@ check_file_access (path_conv &pc, int flags, bool effective)
>      desired |= FILE_WRITE_DATA;
>    if (flags & X_OK)
>      desired |= FILE_EXECUTE;
> -  if (!get_file_sd (pc.handle (), pc, sd, false))
> +
> +  NTSTATUS status;
> +  if (!effective && cygheap->user.issetuid ())
> +    {
> +      /* Strip impersonation token temporarily */
> +      HANDLE tok = NO_IMPERSONATION;
> +      status = NtSetInformationThread (GetCurrentThread (),
> +				       ThreadImpersonationToken,
> +				       &tok, sizeof (tok));
> +      if (!NT_SUCCESS (status))
> +	{
> +	  debug_printf("NtSetInformationThread() for stripping "
> +		       "impersonation token failed: %y", status);
> +	  __seterrno_from_nt_status (status);
> +	  return ret;
> +	}
> +    }

You can simplify this:

	if (!effective)
	  cygheap->user.deimpersonate ();
   
> +  if (!effective && cygheap->user.issetuid ())
> +    {
> +      /* Recover impersonation token */
> +      HANDLE tok = cygheap->user.imp_token () ?: hProcImpToken;
> +      status = NtSetInformationThread (GetCurrentThread (),
> +				       ThreadImpersonationToken,
> +				       &tok, sizeof (tok));
> +      if (!NT_SUCCESS (status))
> +	debug_printf("NtSetInformationThread() for recovering "
> +		     "impersonation token failed: %y", status);
>      }

And this:

	if (!effective)
	  cygheap->user.reimpersonate ();

But please let's move to cygwin-patches for this.


Thanks,
Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple