Bug 10252 - Access Based Enuemration: User can see/list folders/files even when they denied to either read attribute or read extend attribiute permission
werth at linux.vnet.ibm.com
Wed Nov 6 08:46:01 MST 2013
On Wed, 2013-11-06 at 07:24 -0800, Richard Sharpe wrote:
> On Wed, Nov 6, 2013 at 7:08 AM, Alexander Werth
> <werth at linux.vnet.ibm.com> wrote:
> > On Wed, 2013-11-06 at 12:20 +0530, Partha Sarathi wrote:
> >> bash-4.0$ diff -up smbd/dir.c smbd/dir.c.fix
> >> --- smbd/dir.c 2013-11-05 22:42:44.565464984 -0800
> >> - return can_access_file_acl(conn, smb_fname, FILE_READ_DATA);
> >> + return can_access_file_acl(conn, smb_fname, (FILE_READ_DATA |
> >> FILE_READ_EA | FILE_READ_ATTRIBUTES));
> >> Note: I have done the unit test and it just works like Windows i.e even if
> >> the user is just denied for any one of the READ permissions samba hides the
> >> folder/files with the above changes.
> > Hi Pratha,
> > I just tried a few things with Access based enumeration and I actually
> > needed the permission to read permissions as well on the windows folders
> > before I could see them.
> > I was using two windows 2008r2 systems for my test.
> > Did I miss something that I needed that read permission on top of the
> > other three?
> I think that is what Partha is saying. On Windows you need
> FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES in order to see
> the files/folders, while Samba was allowing you to see files/folders
> if you had FILE_READ_DATA.
And when I tired it, these three permissions where not enough.
I also needed the "read permissions" permission as a fourth.
Btw. When I select "read" permission in the simplified windows dialog
all four are selected and I've to scroll down to see that the read
permission behaviour is selected as well.
But in general patching this seems useful.
More information about the samba-technical