Users able to execute windows .exe though execute bit not set

Tue Apr 1 16:03:34 GMT 2003

Nick,

Perhaps you can explain how you would achieve your goals if the server was
running Windows 2000 Server. If you can demonstrate a pure Windows
solution maybe we could match that with Samba.

- John T.

On Tue, 1 Apr 2003, Nick Drouet wrote:

> I'm looking for some assistance regarding file permissions and the inability
> to stop the execution of a file even though the execute permission has not
> been set.
>
> Scenario
>
> I create a share.
> I copy the notepad.exe from a windows client onto the share.
>
> >From Linux console:
>
> chown <user> notepad.exe
> chmod 600 notepad.exe
>
> >From Windows client:
>
> I map a drive to the share and I am still able to run the notepad.exe file
> from the share, even though executable permissions aren't set...
>
> I can remove the executable flag via the Windows GUI and the same occurs.
> I've tried other executable files and the same occurs. If I chmod 222 to
> remove any read rights, then I get the access denied that I would expect.
>
>
> As far as user permissions are going, I've tried a number of options.
> Originally I had a samba server as a member of a Windows NT Domain, using
> Winbind to map user IDs. This also had ACL support with the 2.4.17acl kernel
> and permissions were being set fine on multiple users from the NT domain.
> I've stripped elements out until I now have just a samba server which is not
> part of a domain and my windows user is in the smbpasswd file with matching
> user Id and password. At all stages this problem occurs. I need to know if
> I'm doing something very dumb here but the ability to stop users running
> executables from a network share is critical.
>
> Clients are Windows 2000 / NT4
> Samba versions that I've tried are 2.2.8 and 2.0.0.15 (RPM from SuSE
> installation CD).
> Linux distros that I've tried are SuSE 7.2 and Redhat 7.2
>
> Does anyone have any light they could throw onto why this is happening?
>
> I've seen a few threads regarding this in the samba general but no replies
> so forgive if off topic slightly but could really do with some hints..
>
> Relevant bits from my smb.conf are below.
>
>
>
> [global]
>    workgroup = DOMAIN2
>    guest account = nobody
>    keep alive = 30
>    os level = 2
>    kernel oplocks = false
>    security = domain
>    encrypt passwords = yes
>    socket options = TCP_NODELAY
>    map to guest = Bad User
>    wins server = 192.168.1.80
>    netbios name = samba1
>    winbind uid = 1000-2000
>    winbind gid = 1000-2000
>    winbind cache time = 10
>    winbind separator = +
>    password server = *
>    log file = /var/log/samba
>    log level = 1
>
> [share3]
>    path = /share3
>    comment = shared area
>    read only = no
>    browseable = yes
>
>
>
>
>

-- 
John H Terpstra
Email: jht at samba.org