Users able to execute windows .exe though execute bit not set

Esh, Andrew Andrew_Esh at adaptec.com
Tue Apr 1 19:21:50 GMT 2003 

You should note that the ACL system and the Unix permission bits are two
different things. What you are actually talking about is the translation
between the two.

If the ACL system has Execute permission set for the user, then that user
should be able to execute the program on the client. That determination is
made on the client end.

If the Unix execute bit is set, then a Unix user should be able to run that
executable on the Unix host.

My personal opinion is that there is no meaningful translation between the
two, unless we are talking about Perl scripts, or something else which runs
on both systems. If there is an ACL system as part of the server, I don't
see any need to bother with the Unix execute bits, for Windows-only
executables.

The problem is compounded by the possibility that those bits have been used
within Samba to store other functionality such as the DOS System or Hidden
bits.

Jeremy Allison is the one who can state this case better than I can. He gave
a presentation at the CIFS conference in Bellevue, in August 2001 on this
very subject. He should make the final determination on this.

-----Original Message-----
From: Ronan Waide [mailto:waider at waider.ie]
Sent: Tuesday, April 01, 2003 11:23 AM
To: Richard Sharpe
Cc: samba-technical at lists.samba.org; Nick Drouet
Subject: Re: Users able to execute windows .exe though execute bit not
set


On April 1, rsharpe at richardsharpe.com said:
> 
> Hmmm, I did some testing a week or so ago, and found that removing the 
> execute permission from ACLs on the file (esp inherited ones) prevents 
> Win2K from executing the file, although it does open the file for read 
> first.

Yep, turns out I opened my mouth without being completely sure of what
I was saying :)
 
> Since we have just added proper eXecute permission support to our (almost)

> NT ACLs in the file system, let me check this today to see what the deal 
> is.

jmcd says it should work.

Cheers,
Waider.
-- 
waider at waider.ie / Yes, it /is/ very personal of me.

"for god's sake, give me some credit.  i may be an egocentric jerk, but i'm
 not a COMPLETE asshole." - Meredith

More information about the samba-technical mailing list