FILE_GENERIC_EXECUTE bits causing problems setting ACLs via Windows
GUI
John P Janosik
jpjanosi at us.ibm.com
Tue Jun 8 19:55:05 GMT 2004
Can someone comment on why FILE_READ_ATTRIBUTES is set as part of
FILE_GENERIC_EXECUTE in smb.h? This is causing a problem when setting an
ACL via the winxp sp1 security gui against Samba 3.0.4 on redhat linux 9
built with acl support. Here is an example of the problem:
[root at rchsker jpjanosi]# getfacl test
# file: test
# owner: jpjanosi
# group: Domain Users
user::rwx
user:bmarsh:rwx
group::--x
mask::rwx
other::--x
default:user::rwx
default:user:bmarsh:rwx
default:user:jpjanosi:rwx
default:group::--x
default:mask::rwx
default:other::--x
Now from a winxp sp1 client as jpjanosi I add another user to the ACL.
Looking at the ACL again from the Linux side shows the problem( I did not
make any changes to other or the owning group in the GUI):
[root at rchsker jpjanosi]# getfacl test
# file: test
# owner: jpjanosi
# group: Domain Users
user::rwx
user:bmarsh:rwx
user:wrm3:r-x
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:bmarsh:rwx
default:user:jpjanosi:rwx
default:user:wrm3:r-x
default:group::r-x
default:mask::rwx
default:other::r-x
Any ACE that had just x set before now has rx set. It looks like anytime
the FILE_READ_ATTRIBUTES bit is set in an ACE in the NT SET SEC DESC call
then Samba sets the r bit on for that entry on the posix acl. I realize
that not setting FILE_READ_ATTRIBUTES means that in the Windows gui that
the ACE will show up with "Special Permissions" instead of
"Traverse/Execute" but it seems there is too much risk of users giving away
access without realizing it.
John Janosik
More information about the samba-technical
mailing list