[SMB3POSIX] File attributes
Tom Talpey
tom at talpey.com
Tue Nov 14 16:22:00 UTC 2023
On 11/14/2023 4:30 AM, ronnie sahlberg wrote:
> On Tue, 14 Nov 2023 at 19:16, Ralph Boehme via samba-technical
> <samba-technical at lists.samba.org> wrote:
>>
>> On 11/13/23 18:50, Jeremy Allison wrote:
>>> On Mon, Nov 13, 2023 at 12:28:18PM +0100, Ralph Boehme wrote:
>>>> We had support for file atttributes in the CIFS UNIX extensions, this
>>>> is currently not in the spec (or code) for SMB3 POSIX.
>>>>
>>>> Is this intentional? What is the reason?
>>>
>>> Do you mean the attributes listed by:
>>>
>>> man chattr.
>>
>> yes.
>>
>>> chattr - change file attributes on a Linux file system
>>>
>>> This was at the insitence of Steve as I recall.
>>
>> adding Steve to the loop.
>>
>>> We never implemented this.
>>>
>>> Might be done via a tunnelling ioctl ? Other thoughts ?
>>
>> well, it's a rabbit hole of its own and still seem to be rarely used on
>> Linux and the BSDs. It's not POSIX anyway so just declare it out of
>> scope for now?
>
> Not to derail, but "chattr +i" is not a rabbithole. It is very much real.
> If you are going to set up and run bind locally on a systemd-resolved
> infected system
> you literally must use chattr +i to stop it from ruining your /etc/resolv.conf
But, does it need to be exposed to remote access? It would seem to be an
admin function, most appropriate to apply via the server-local API.
So to flip the question, does "chattr -i" (or any of the zillion others)
expose any new vulnerability if remote? Some of them look fairly juicy
targets for ransomware infiltration.
Tom.
>> The Linux interface is via ioctls so doing it over the wire via SMB2
>> IOCTLs looks like a good way forward allowing us to ignore this for now
>> and possibly add it later if there's demand and resources to implement it.
>>
>> -slow
>
More information about the samba-technical
mailing list