[jcifs] Security Correctness

Jake Goulding goulding at vivisimo.com
Tue Jul 25 14:56:30 GMT 2006

James & Martin:

Thanks for your feedback. Indeed, I was able to read the file through 
notepad if I gave it the full path. However, a similar setup using a 
Samba server seems to not work the same way (we are assuming that it has 
to do with the correlation of POSIX vs Windows ACLs).

Now I just have to figure out a way of finding the effective rights on 
Linux and Sun.

Thanks again!


James Maupin wrote:
> Jake,
> This situation can happen with Share permissions also. However, most
> companies that I've worked with set up open SMB/CIFS Shares (all users and
> groups) and allow bypass traversal. That is, user Z could not navigate to
> the file with Explorer, but could open the file with a full path.
> regards,
> James
> -------------------------------------
> James Maupin
> Business Development Engineer, Energy
> MetaCarta, Inc. ( www.metacarta.com )
> 1155 Dairy Ashford
> Suite 201
> Houston, TX 77079
> Tel: (832) 300-8800 USA
> Mob: (832) 746-6802 USA
> james.maupin at metacarta.com
> -----Original Message-----
> From: jcifs-bounces+james.maupin=metacarta.com at lists.samba.org
> [mailto:jcifs-bounces+james.maupin=metacarta.com at lists.samba.org]On
> Behalf Of Martin D. Pedersen
> Sent: Tuesday, July 25, 2006 2:21 AM
> To: Jake Goulding; jcifs at lists.samba.org
> Subject: RE: [jcifs] Security Correctness
> Hi Jake
> Actually I think this is the correct behaviour.
> The reason you can not navigate your way into the file using eg. Windows
> Explorer is that it WE tries to open the folder to get the list of files.
> Which is correctly denied. So therefor it can not show you the file.
> But if you ask directly for the file eg. using  a small jcifs program or
> maybe even a direct path in Windows, you will see that the underlaying
> security system in Windows allows you to access the file.
> So bassically it is a problem with the Windows Explorer navigation not the
> Effective rights of the file.
> -- mdp
>> -----Original Message-----
>> From: jcifs-bounces+mdp=visanti.com at lists.samba.org
>> [mailto:jcifs-bounces+mdp=visanti.com at lists.samba.org] On
>> Behalf Of Jake Goulding
>> Sent: 25. juli 2006 00:05
>> To: JCIFS List
>> Subject: [jcifs] Security Correctness
>> I create a folder that is accessible (read/traverse rights)
>> only to group A, then put a file inside that folder that is
>> only readable by user Z (not in A). I then getSecurity() on
>> the file, it will show that Z has read access to the file.
>> However, if user Z actually comes along, she cannot read the
>> file because she cannot traverse into the folder. Is there
>> some way of getting the effective rights of a given file?
>> Thanks!

Software Engineer
goulding at vivisimo.com

Viví­simo [Search Done Right™]
1710 Murray Avenue
Pittsburgh, PA 15217 USA
tel: +1.412.422.2499 x105
fax: +1.412.422.2495
vivisimo.com      clusty.com

More information about the jcifs mailing list