[PATCH] vfs_acl_xattr|tdb: set create mask to 0777 if ignore_system_acls is set

Uri Simchoni uri at samba.org
Mon Feb 6 21:45:24 UTC 2017


On 02/06/2017 08:30 PM, Uri Simchoni wrote:
>>> Well, what if I want files created to be 0666?
>>
>> huh, why would you? You've explicitly requested
>>
>>   acl_xattr:ignore system acls = yes
>>
>> whose behaviour is
>>
>>   When set to yes, a best effort mapping from/to the POSIX ACL layer will not be
>>   done by this module.
>>
>> I know it says "POSIX ACL", but you can't seperate the POSIX mode from the ACL
>> from a functional perspective. We must ensure filesytem permissions are
>> completely open and permission checking is based entirely on the ACL blob from
>> the xattr, not on some unpredictable mix of blob and fs.
>>
>> Cheerio!
>> -slow
>>
> 
> I just think 0777 increases the attack surface if the admin doesn't wish
> files stored on that share to be locally executed, so there has to be a
> way to avoid x bit.
> 
> My thinking is that if a file is world-readable and world-writable,
> there are no restrictions imposed by POSIX.
> 
> Uri.
> 
... so the idea is that if I explicitly set create mask to 0666, it
doesn't become 0777.



More information about the samba-technical mailing list