Bug 10252 - Access Based Enuemration: User can see/list folders/files even when they denied to either read attribute or read extend attribiute permission

Wed Nov 6 10:24:51 MST 2013

On Wed, Nov 6, 2013 at 7:46 AM, Alexander Werth
<werth at linux.vnet.ibm.com> wrote:
> On Wed, 2013-11-06 at 07:24 -0800, Richard Sharpe wrote:
>> On Wed, Nov 6, 2013 at 7:08 AM, Alexander Werth
>> <werth at linux.vnet.ibm.com> wrote:
>> > On Wed, 2013-11-06 at 12:20 +0530, Partha Sarathi wrote:
>> >> bash-4.0$ diff -up smbd/dir.c smbd/dir.c.fix
>> >> --- smbd/dir.c  2013-11-05 22:42:44.565464984 -0800
>> >> -       return can_access_file_acl(conn, smb_fname, FILE_READ_DATA);
>> >> +       return can_access_file_acl(conn, smb_fname, (FILE_READ_DATA |
>> >> FILE_READ_EA | FILE_READ_ATTRIBUTES));
>> >
>> >> Note: I have done the unit test and it just works like Windows i.e even if
>> >> the user is just denied for any one of the READ permissions samba hides the
>> >> folder/files with the above changes.
>> >>
>> > Hi Pratha,
>> >
>> > I just tried a few things with Access based enumeration and I actually
>> > needed the permission to read permissions as well on the windows folders
>> > before I could see them.
>> > I was using two windows 2008r2 systems for my test.
>> > Did I miss something that I needed that read permission on top of the
>> > other three?
>>
>> I think that is what Partha is saying. On Windows you need
>> FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES in order to see
>> the files/folders, while Samba was allowing you to see files/folders
>> if you had FILE_READ_DATA.
>>
> And when I tired it, these three permissions where not enough.
> I also needed the "read permissions" permission as a fourth.
> Btw. When I select "read" permission in the simplified windows dialog
> all four are selected and I've to scroll down to see that the read
> permission behaviour is selected as well.

Ahhh, now I understand. What you are saying is that it needs to be:

FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES | SEC_STD_READ_CONTROL

We need a torture test for this, I suspect.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)