[PATCH] vfs_acl_xattr|tdb: set create mask to 0777 if ignore_system_acls is set
uri at samba.org
Mon Feb 6 21:45:24 UTC 2017
On 02/06/2017 08:30 PM, Uri Simchoni wrote:
>>> Well, what if I want files created to be 0666?
>> huh, why would you? You've explicitly requested
>> acl_xattr:ignore system acls = yes
>> whose behaviour is
>> When set to yes, a best effort mapping from/to the POSIX ACL layer will not be
>> done by this module.
>> I know it says "POSIX ACL", but you can't seperate the POSIX mode from the ACL
>> from a functional perspective. We must ensure filesytem permissions are
>> completely open and permission checking is based entirely on the ACL blob from
>> the xattr, not on some unpredictable mix of blob and fs.
> I just think 0777 increases the attack surface if the admin doesn't wish
> files stored on that share to be locally executed, so there has to be a
> way to avoid x bit.
> My thinking is that if a file is world-readable and world-writable,
> there are no restrictions imposed by POSIX.
... so the idea is that if I explicitly set create mask to 0666, it
doesn't become 0777.
More information about the samba-technical