[jcifs] NTLM HTTP Filter Authenticates All Users Regardless ofJCIFSACL Permissions

Michael B Allen mba2000 at ioplex.com
Wed Oct 27 18:38:53 GMT 2004

On Wed, 27 Oct 2004 10:27:43 -0700
"John Fletcher" <jfletcher at latitudegeo.com> wrote:

> <snip>
> >I just fixed this. It actually surprised me a little to learn how 
> >feable ACL access control on Windows shares is. With Windows NT 
> >4.0 at least you can mount a share as any authenticated user regardless
> >of how the ACL is set. Now that wouldn't be that bad if you could
> >not access anything withing it but you can query the existance 
> >and attributes of a file or directory if you know it's path 
> >regardless of how the ACL is set! I had to resort to trying to 
> >*listing* the contents of the share. That causes Access Denied if 
> >the user is not listed in the ACL.
> >Humph!
> >The fix will be in the next release RSN.
> >Mike
> Thanks a bunch!  Actually, I tried creating a new directory in the
> JCIFSACL share, setting my logonShare to JCIFSACL/newdir at one point to
> see if maybe I could get it to deny access to a subdir of the share, but
> got a "path not found" error...  At any rate, it'll be great to have the
> logonShare functionality in the new release.

Yeah, no, that's not going to work because it will try to query the share
"JCIFSACL/newdir" and besides the fact that '/' is an illegal sharename
character, even if it did reference a directory in the JCIFSACL directory
it would succeed regardless of how the ACL is set.

I'll have to test Win98 before I release the next rev. Support for
Win95/98/ME has fallen behind. I think sharemode security is totally
broken. Might take a day or two.


Greedo shoots first? Not in my Star Wars.

More information about the jcifs mailing list