[jcifs] Security Correctness

James Maupin james.maupin at metacarta.com
Tue Jul 25 11:44:19 GMT 2006


This situation can happen with Share permissions also. However, most
companies that I've worked with set up open SMB/CIFS Shares (all users and
groups) and allow bypass traversal. That is, user Z could not navigate to
the file with Explorer, but could open the file with a full path.


James Maupin
Business Development Engineer, Energy

MetaCarta, Inc. ( www.metacarta.com )
1155 Dairy Ashford
Suite 201
Houston, TX 77079

Tel: (832) 300-8800 USA
Mob: (832) 746-6802 USA
james.maupin at metacarta.com

-----Original Message-----
From: jcifs-bounces+james.maupin=metacarta.com at lists.samba.org
[mailto:jcifs-bounces+james.maupin=metacarta.com at lists.samba.org]On
Behalf Of Martin D. Pedersen
Sent: Tuesday, July 25, 2006 2:21 AM
To: Jake Goulding; jcifs at lists.samba.org
Subject: RE: [jcifs] Security Correctness

Hi Jake

Actually I think this is the correct behaviour.
The reason you can not navigate your way into the file using eg. Windows
Explorer is that it WE tries to open the folder to get the list of files.
Which is correctly denied. So therefor it can not show you the file.

But if you ask directly for the file eg. using  a small jcifs program or
maybe even a direct path in Windows, you will see that the underlaying
security system in Windows allows you to access the file.

So bassically it is a problem with the Windows Explorer navigation not the
Effective rights of the file.

-- mdp

> -----Original Message-----
> From: jcifs-bounces+mdp=visanti.com at lists.samba.org
> [mailto:jcifs-bounces+mdp=visanti.com at lists.samba.org] On
> Behalf Of Jake Goulding
> Sent: 25. juli 2006 00:05
> To: JCIFS List
> Subject: [jcifs] Security Correctness
> I create a folder that is accessible (read/traverse rights)
> only to group A, then put a file inside that folder that is
> only readable by user Z (not in A). I then getSecurity() on
> the file, it will show that Z has read access to the file.
> However, if user Z actually comes along, she cannot read the
> file because she cannot traverse into the folder. Is there
> some way of getting the effective rights of a given file?
> Thanks!
> --
> Software Engineer
> goulding at vivisimo.com
> Viví­simo [Search Done Right™]
> 1710 Murray Avenue
> Pittsburgh, PA 15217 USA
> tel: +1.412.422.2499 x105
> fax: +1.412.422.2495
> vivisimo.com      clusty.com

More information about the jcifs mailing list