Security issue - storing NTACL's in non-NT-security-namespace
L.A. Walsh
samba at tlinx.org
Fri Dec 13 14:32:12 MST 2013
On 12/13/2013 2:53 AM, Christoph Hellwig wrote:
> On Fri, Dec 13, 2013 at 12:39:40AM -0800, L.A. Walsh wrote:
>
>> Does it have to be under a "namespace" that gets *stripped*
>> as soon as the file is copied or "mv'd to another
>> samba share (i.e. the partition it was moved to is shared with the
>> same permissions as the first one.
>>
>
> Attributes never get "stripped", they simple don't get copied unless
> explicit action is taken to do so. Setting trusted attributes up on a
> new file will of course rely privilegues, exactly for the reasons
> Jeremy pointed out.
>
----
Stripping is the default action when copying or moving unless you
take some *non-default* (and unspecified) action, AND providing you
even know they are there..
The same is NOT true for the *real* xfs-ACLS -- which are
copied w/o issue.
Example,
testfile.txt (saved via win7 as a normal user in my Doc dir:
(letter on left is my abbrieviation
Ishtar:law/Documents> attr -l testfile.txt
U Attribute "DOSATTRIB" has a 56 byte value for testfile.txt
R Attribute "SGI_ACL_FILE" has a 64 byte value for testfile.txt
U Attribute "SAMBA_PAI" has a 31 byte value for testfile.txt
S Attribute "NTACL" has a 328 byte value for testfile.txt
Then copy using "explicit action" (-a) to save extended attributes:
Ishtar:law/Documents> cp -a testfile.txt testcopy.txt
Ishtar:law/Documents> attr -l testcopy.txt
Attribute "DOSATTRIB" has a 56 byte value for testcopy.txt
Attribute "SGI_ACL_FILE" has a 64 byte value for testcopy.txt
Attribute "SAMBA_PAI" has a 31 byte value for testcopy.txt
Now NOTE: if I don't use "explicit action" (-a) in my copy:
Ishtar:law/Documents> /usr/bin/cp testfile.txt testcopy.txt
Ishtar:law/Documents> attr -l testcopy.txt
Attribute "SGI_ACL_FILE" has a 76 byte value for testcopy.txt
ONLY the root-namespace ACL is save -- the user and security
attributes are striped.
If I try "mv"ing the -- on the same volume, I am "fine" (attributes
don't get dropped).
But if I cross a file boundary (to another XFS partition):
Ishtar:law/Documents> mv testfile.txt /Share/CPAN/
mv: setting attribute ‘security.NTACL’ for ‘security.NTACL’:
Operation not permitted
Ishtar:law/Documents> attr -l /Share/CPAN/testfile.txt
Attribute "DOSATTRIB" has a 56 byte value for /Share/CPAN/testfile.txt
Attribute "SGI_ACL_FILE" has a 64 byte value for
/Share/CPAN/testfile.txt
Attribute "SAMBA_PAI" has a 31 byte value for /Share/CPAN/testfile.txt
Only the Security attribute is stripped. the root namespace is copyable
by a user
Note. I saw this message for the 1st time, last week (the permission
message on the move). Do you have any idea what might have caused
such a change?
Did Samba changed namespaces, or is some library refusing to copy this
or maybe a kernel change?
More information about the samba-technical
mailing list