[Samba] User can't access a share that he has full control of

[Jeremy Allison]

On Mon, Aug 21, 2006 at 11:06:02AM -0700, Ephi Dror wrote:
> 1. Yes, the user has "---" access rights on dir2 but I still would like
> to give this user full control on dir3 in which I share directly. It can
> be done on windows but can't be done on SAMBA
> 
> 2. You right, if the user does have "x" access on all directory leading
> to dir3, he'll be fine but I'm not sure the customer will like that
> since as you I'm sure know, more and more windows customers are
> expecting us to be more and more 100% windows compatible right!!! And
> the customer I guess cares less about posix or our implementation
> challenges.

This is one of those tensions in that we're different from
Windows. Windows made different security choices here than
POSIX kernels did. This might not be possible for us to
implement securely without a change in the kernel.

> 3. If I do this change for our customers, is there any security issue
> here that I haven't thought about?

Yes, it's a security hole (IMHO). It completely bypasses
security for a path. There might be things an attacker
could do with this (don't have time right now to think
up evil scenarious but I'm sure there are some :-).

Jeremy.