Security issue - storing NTACL's in non-NT-security-namespace

L.A. Walsh samba at tlinx.org
Fri Dec 13 14:32:12 MST 2013 

On 12/13/2013 2:53 AM, Christoph Hellwig wrote:
> On Fri, Dec 13, 2013 at 12:39:40AM -0800, L.A. Walsh wrote:
>   
>>    Does it have to be under a "namespace" that gets *stripped*
>> as soon as the file is copied or "mv'd to another
>> samba share (i.e. the partition it was moved to is shared with the
>> same permissions as the first one.
>>     
>
> Attributes never get "stripped", they simple don't get copied unless
> explicit action is taken to do so.  Setting trusted attributes up on a
> new file will of course rely privilegues, exactly for the reasons
> Jeremy pointed out.
>   
----

Stripping is the default action when copying or moving unless you
take some *non-default* (and unspecified) action, AND providing you
even know they are there..

The same is NOT true for the *real* xfs-ACLS -- which are
copied w/o issue.


Example,

testfile.txt (saved via win7 as a normal user in my Doc dir:
(letter on left is my abbrieviation

  Ishtar:law/Documents> attr -l testfile.txt
U  Attribute "DOSATTRIB" has a 56 byte value for testfile.txt
R  Attribute "SGI_ACL_FILE" has a 64 byte value for testfile.txt
U  Attribute "SAMBA_PAI" has a 31 byte value for testfile.txt
S  Attribute "NTACL" has a 328 byte value for testfile.txt      

Then copy using "explicit action" (-a) to save extended attributes:

 Ishtar:law/Documents> cp -a testfile.txt testcopy.txt
 Ishtar:law/Documents> attr -l testcopy.txt
   Attribute "DOSATTRIB" has a 56 byte value for testcopy.txt
   Attribute "SGI_ACL_FILE" has a 64 byte value for testcopy.txt
   Attribute "SAMBA_PAI" has a 31 byte value for testcopy.txt

Now NOTE: if I don't use "explicit action" (-a) in my copy:

 Ishtar:law/Documents> /usr/bin/cp testfile.txt testcopy.txt
 Ishtar:law/Documents> attr -l testcopy.txt                
   Attribute "SGI_ACL_FILE" has a 76 byte value for testcopy.txt

ONLY the root-namespace ACL is save  -- the user and security
attributes are striped.

If I try "mv"ing the -- on the same volume, I am "fine" (attributes
don't get dropped).

But if I cross a file boundary (to another XFS partition):

 Ishtar:law/Documents> mv testfile.txt /Share/CPAN/
   mv: setting attribute ‘security.NTACL’ for ‘security.NTACL’:
       Operation not permitted
 Ishtar:law/Documents> attr -l /Share/CPAN/testfile.txt
   Attribute "DOSATTRIB" has a 56 byte value for /Share/CPAN/testfile.txt
   Attribute "SGI_ACL_FILE" has a 64 byte value for
    /Share/CPAN/testfile.txt
   Attribute "SAMBA_PAI" has a 31 byte value for /Share/CPAN/testfile.txt


Only the Security attribute is stripped.  the root namespace is copyable
by a user


Note.  I saw this message for the 1st time, last week (the permission
message on the move).  Do you have any idea what might have caused
such a change?

Did Samba changed namespaces, or is some library refusing to copy this
or maybe a kernel change?

More information about the samba-technical mailing list