force mode (Was: RE: more thoughts on Samba permissions manip ulat

Cole, Timothy D. timothy_d_cole at md.northgrum.com
Fri Jun 18 20:09:16 GMT 1999 

> -----Original Message-----
> From:	ejajko at corp.auspex.com [SMTP:ejajko at corp.auspex.com]
> Sent:	Friday, June 18, 1999 15:54
> To:	Multiple recipients of list
> Subject:	Re: force mode (Was: RE: more thoughts on Samba permissions
> manipulat
> 
> :)From branko.cibej at hermes.si Fri Jun 18 11:31:56 1999
> :)Subject: Re: force mode (Was: RE: more thoughts on Samba permissions
> manipulat
> :)>         *sigh*  indeed...  why can't PC software vendors get these
> kind of
> :)> things right?  I know they've been dealing with DOS for the past ten
> years,
> :)> but even so...
> :)
> :)Actually, the correct fix for this particular Microsoftish misfeature is
> to
> :)cache the permissions and ownership of deleted files for a few seconds,
> and
> :)restore them if the same file is created again while the info in the
> cache is
> :)still alive.
> 
> This sounds like a very nasty security hole- if one were to do this, you
> should at least force a restriction to a nonprivileged account.
> 
	The cache he refers to is probably local to the individual
session/user/app combination.

> :)Hmmm ... now that I think about it, caching the permissions isn't enough
> -- you
> :)have to preserve hard links, i.e. the node number, too. Which means you
> have to
> :)"logically" delete the file: put it in a table of invisible files,
> perhaps
> :)rename it to, e.g., `.#deleted#<filename>', and delay the unlink. Should
> be
> :)fairly easy to do in a VFS module, and the nice thing is that if you're
> allowed
> :)to delete a file, you're also allowed to rename it (don't know about the
> sticky
> :)bit semantics, though).
> 
> And this sounds like the biggest security hole yet ;)
> 
	I'm not exactly sure how explotiable that would in fact be; at
worst, if the other party won the race, the rename would either nuke their
link, or fail.  And of course the permissions would remain the same, so they
wouldn't exactly get access to anything that they didn't have before.  In
any case, some NFS implementations do something like this anyway (for
different reasons).

More information about the samba-technical mailing list