Bug 10252 - Access Based Enuemration: User can see/list folders/files even when they denied to either read attribute or read extend attribiute permission

Richard Sharpe realrichardsharpe at gmail.com
Wed Nov 6 08:24:02 MST 2013


On Wed, Nov 6, 2013 at 7:08 AM, Alexander Werth
<werth at linux.vnet.ibm.com> wrote:
> On Wed, 2013-11-06 at 12:20 +0530, Partha Sarathi wrote:
>> bash-4.0$ diff -up smbd/dir.c smbd/dir.c.fix
>> --- smbd/dir.c  2013-11-05 22:42:44.565464984 -0800
>> -       return can_access_file_acl(conn, smb_fname, FILE_READ_DATA);
>> +       return can_access_file_acl(conn, smb_fname, (FILE_READ_DATA |
>> FILE_READ_EA | FILE_READ_ATTRIBUTES));
>
>> Note: I have done the unit test and it just works like Windows i.e even if
>> the user is just denied for any one of the READ permissions samba hides the
>> folder/files with the above changes.
>>
> Hi Pratha,
>
> I just tried a few things with Access based enumeration and I actually
> needed the permission to read permissions as well on the windows folders
> before I could see them.
> I was using two windows 2008r2 systems for my test.
> Did I miss something that I needed that read permission on top of the
> other three?

I think that is what Partha is saying. On Windows you need
FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES in order to see
the files/folders, while Samba was allowing you to see files/folders
if you had FILE_READ_DATA.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list