[Samba] Security leak in map_nt_perms?

[Jeremy Allison]

On Thu, Aug 14, 2008 at 11:41:14PM +0200, Abramo Bagnara wrote:
> 
> In map_nt_perms any of FILE_READ_DATA, FILE_READ_EA or
> FILE_READ_ATTRIBUTES is mapped unconditionally to Unix read permission
> and similarly for write permission
> 
> This means that if I put a file on a samba share where I explicitly left
> *only* FILE_READ_ATTRIBUTES and FILE_READ_EA the file content becomes
> hiddenly readable also if I decided (for very good reasons) otherwise.
> 
> I'd say that when a permission model is mapped to another permission
> model that has less or different granularity the resulting permission
> should be a subset of the original one.
> 
> This would guarantee that unwanted data exposure is impossible.
> 
> IMHO the only inconvenience that a strict/safer mapping would have is
> that the attempt to grant *only* a subset of read privileges would be a
> no effect (problem easily diagnosed and afforded without security risks
> and with access failure as a clear feedback).
> 
> A possible alternative is to map only FILE_READ_DATA to Unix Read and to
> map Unix Read to FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES.
> This lead to a lesser security exposure (that however is unavoidable
> taken for granted Unix RWX security model)
> 
> I'm missing something?

Hmmmm. I'm not sure what we can do here other than store the
full NT Acl in an xattr (which I'm working on right now) and
use it as an initial filter for access_denied on open.

The underlying problem is that incoming NT -> unix perms
is a lossy mapping, not much we can do about that.

Jeremy.