[Samba] Security leak in map_nt_perms?

Abramo Bagnara abramo.bagnara at gmail.com
Thu Aug 14 21:41:14 GMT 2008

In map_nt_perms any of FILE_READ_DATA, FILE_READ_EA or
FILE_READ_ATTRIBUTES is mapped unconditionally to Unix read permission
and similarly for write permission

This means that if I put a file on a samba share where I explicitly left
*only* FILE_READ_ATTRIBUTES and FILE_READ_EA the file content becomes
hiddenly readable also if I decided (for very good reasons) otherwise.

I'd say that when a permission model is mapped to another permission
model that has less or different granularity the resulting permission
should be a subset of the original one.

This would guarantee that unwanted data exposure is impossible.

IMHO the only inconvenience that a strict/safer mapping would have is
that the attempt to grant *only* a subset of read privileges would be a
no effect (problem easily diagnosed and afforded without security risks
and with access failure as a clear feedback).

A possible alternative is to map only FILE_READ_DATA to Unix Read and to
This lead to a lesser security exposure (that however is unavoidable
taken for granted Unix RWX security model)

I'm missing something?

More information about the samba mailing list