Users able to execute windows .exe though execute bit not set

Nick Drouet nick at drouet.co.uk
Tue Apr 1 14:14:26 GMT 2003 

I'm looking for some assistance regarding file permissions and the inability
to stop the execution of a file even though the execute permission has not
been set.

Scenario

I create a share.
I copy the notepad.exe from a windows client onto the share.

>From Linux console:

chown <user> notepad.exe
chmod 600 notepad.exe

>From Windows client:

I map a drive to the share and I am still able to run the notepad.exe file
from the share, even though executable permissions aren't set...

I can remove the executable flag via the Windows GUI and the same occurs.
I've tried other executable files and the same occurs. If I chmod 222 to
remove any read rights, then I get the access denied that I would expect.


As far as user permissions are going, I've tried a number of options.
Originally I had a samba server as a member of a Windows NT Domain, using
Winbind to map user IDs. This also had ACL support with the 2.4.17acl kernel
and permissions were being set fine on multiple users from the NT domain.
I've stripped elements out until I now have just a samba server which is not
part of a domain and my windows user is in the smbpasswd file with matching
user Id and password. At all stages this problem occurs. I need to know if
I'm doing something very dumb here but the ability to stop users running
executables from a network share is critical.

Clients are Windows 2000 / NT4
Samba versions that I've tried are 2.2.8 and 2.0.0.15 (RPM from SuSE
installation CD).
Linux distros that I've tried are SuSE 7.2 and Redhat 7.2

Does anyone have any light they could throw onto why this is happening?

I've seen a few threads regarding this in the samba general but no replies
so forgive if off topic slightly but could really do with some hints..

Relevant bits from my smb.conf are below.



[global]
   workgroup = DOMAIN2
   guest account = nobody
   keep alive = 30
   os level = 2
   kernel oplocks = false
   security = domain
   encrypt passwords = yes
   socket options = TCP_NODELAY
   map to guest = Bad User
   wins server = 192.168.1.80
   netbios name = samba1
   winbind uid = 1000-2000
   winbind gid = 1000-2000
   winbind cache time = 10
   winbind separator = +
   password server = *
   log file = /var/log/samba
   log level = 1

[share3]
   path = /share3
   comment = shared area
   read only = no
   browseable = yes

More information about the samba-technical mailing list