[PATCH] vfs_acl_xattr|tdb: set create mask to 0777 if ignore_system_acls is set
Uri Simchoni
uri at samba.org
Mon Feb 6 18:30:19 UTC 2017
On 02/06/2017 03:04 PM, Ralph Böhme wrote:
> On Mon, Feb 06, 2017 at 02:47:08PM +0200, Uri Simchoni wrote:
>> On 02/06/2017 02:19 PM, Ralph Böhme wrote:
>>> Hi!
>>>
>>> Attached is a patch for bug
>>> https://bugzilla.samba.org/show_bug.cgi?id=12562
>>>
>>> The fix for bug #12181 included a change that should ensure filesystem
>>> permissions are out of the way when using VFS modules acl_xattr or acl_tdb with
>>> "acl_xattr:ignore system acls = yes".
>>>
>>> At runtime, when the module is loaded, we set "create mask = 0666" which doesn't
>>> contain executable rights files. This should really by "create mask = 0777"
>>> instead.
>>>
>>> Please review & push if happy. Thanks!
>>>
>>> Cheerio!
>>> -slow
>>>
>> Well, what if I want files created to be 0666?
>
> huh, why would you? You've explicitly requested
>
> acl_xattr:ignore system acls = yes
>
> whose behaviour is
>
> When set to yes, a best effort mapping from/to the POSIX ACL layer will not be
> done by this module.
>
> I know it says "POSIX ACL", but you can't seperate the POSIX mode from the ACL
> from a functional perspective. We must ensure filesytem permissions are
> completely open and permission checking is based entirely on the ACL blob from
> the xattr, not on some unpredictable mix of blob and fs.
>
> Cheerio!
> -slow
>
I just think 0777 increases the attack surface if the admin doesn't wish
files stored on that share to be locally executed, so there has to be a
way to avoid x bit.
My thinking is that if a file is world-readable and world-writable,
there are no restrictions imposed by POSIX.
Uri.
More information about the samba-technical
mailing list