Users able to execute windows .exe though execute bit not set

Jim McDonough jmcd at us.ibm.com
Tue Apr 1 19:53:54 GMT 2003 




>What is Windows is using to determine that it needs to do the
>"executability" test? There is no executable bit in Windows. There is the
>ACL entry, but nothing at the DOS level. That is, unless they are testing
>the file extension.
It uses the ACL.  It follows locally what's in the ACL, and the server will
grant/deny the requested access based on what's in the ACL.  It works.
Folks have pointed out that you can just get around it by reading the file,
copying it locally, and running it from there, but there are many companies
out there that lock down all the workstations, and prevent local write
access for this very reason.

>What Windows would need is a marker that enables a file for execution, and
a
>network request from the client which notifies the server that the file is
>being read for execution. Windows could compare the two, and deny the read
>if the file is not enabled. In any case, it has to trust the client not to
>read the file for non-execution, and then execute it. Since Windows is
also
>the client, such a trustworthiness can be relied upon.
The ACL is this marker, and the network request NTCreateX will pass along
whatever access you tell it, and windows clients tell it they want
"execute" access.  I detail the trust situation above.

>I would not be surprised to learn that Samba does not do the "executable"
>test on files being read, since there is no reasonable place to store a
>Windows execution flag. (Perhaps this can be added as an extended
attribute
>setting.) If Windows is testing the file extension instead, then Samba
>should be extended to do the same thing.
Samba does not test any of the bits, but rather relies on the OS to do the
testing.  This works fine for read and write, because open() allows you to
specify them.  You can't request "X' permissions, though, so we'd have to
explictly test it.  The unix "x" bit is a perfectly reasonable place to
store this, and unix has the same problems windows does...if you can read
it, you can copy it and change the bits in your own copy.

----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

jmcd at us.ibm.com
jmcd at samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list