[jcifs] NTLM HTTP Filter Authenticates All Users Regardless
ofJCIFSACL Permissions
Michael B Allen
mba2000 at ioplex.com
Wed Oct 27 18:38:53 GMT 2004
On Wed, 27 Oct 2004 10:27:43 -0700
"John Fletcher" <jfletcher at latitudegeo.com> wrote:
> <snip>
> >I just fixed this. It actually surprised me a little to learn how
> >feable ACL access control on Windows shares is. With Windows NT
> >4.0 at least you can mount a share as any authenticated user regardless
>
> >of how the ACL is set. Now that wouldn't be that bad if you could
> >not access anything withing it but you can query the existance
> >and attributes of a file or directory if you know it's path
> >regardless of how the ACL is set! I had to resort to trying to
> >*listing* the contents of the share. That causes Access Denied if
> >the user is not listed in the ACL.
>
> >Humph!
>
> >The fix will be in the next release RSN.
>
> >Mike
>
> Thanks a bunch! Actually, I tried creating a new directory in the
> JCIFSACL share, setting my logonShare to JCIFSACL/newdir at one point to
> see if maybe I could get it to deny access to a subdir of the share, but
> got a "path not found" error... At any rate, it'll be great to have the
> logonShare functionality in the new release.
Yeah, no, that's not going to work because it will try to query the share
"JCIFSACL/newdir" and besides the fact that '/' is an illegal sharename
character, even if it did reference a directory in the JCIFSACL directory
it would succeed regardless of how the ACL is set.
I'll have to test Win98 before I release the next rev. Support for
Win95/98/ME has fallen behind. I think sharemode security is totally
broken. Might take a day or two.
Mike
--
Greedo shoots first? Not in my Star Wars.
More information about the jcifs
mailing list