[Samba] Security leak in map_nt_perms?

Jeremy Allison ha scritto:
> On Sat, Aug 16, 2008 at 09:42:51AM +0200, Abramo Bagnara wrote:
>> This is exactly what I'd expect...
>
> Hmmm, not what I'd expect :-). I'll have to check into the POSIX
> mapping further, been a while since I wrote it. Are you checking
> on a system with POSIX ACLs enabled or just straight POSIX permissions ?

POSIX ACL are enabled

$ fgrep " / " /proc/mounts
/dev/disk/by-uuid/62c3ee18-49a9-4261-ad78-d746d0cbaf07 / ext3
rw,relatime,errors=remount-ro,acl,data=ordered 0 0

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Jeremy Allison ha scritto:
> On Sat, Aug 16, 2008 at 09:42:51AM +0200, Abramo Bagnara wrote:
>> This is exactly what I'd expect...
>
> Hmmm, not what I'd expect :-). I'll have to check into the POSIX
> mapping further, been a while since I wrote it. Are you checking
> on a system with POSIX ACLs enabled or just straight POSIX permissions ?

Any news?

Are you willing to accept a patch that make samba to ignore request to
allow FILE_{READ|WRITE}_{ATTRIBUTES|EA) when computing resulting Unix
permission/ACL?


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Wed, Aug 27, 2008 at 11:15:20PM +0200, Abramo Bagnara wrote:
> Jeremy Allison ha scritto:
> > On Sat, Aug 16, 2008 at 09:42:51AM +0200, Abramo Bagnara wrote:
> >> This is exactly what I'd expect...
> >
> > Hmmm, not what I'd expect :-). I'll have to check into the POSIX
> > mapping further, been a while since I wrote it. Are you checking
> > on a system with POSIX ACLs enabled or just straight POSIX permissions ?
>
> Any news?

No, haven't got to this yet. One more question, were you setting
the user or group ACE to '---' or an alternate user or group
ACE to '---' ?

> Are you willing to accept a patch that make samba to ignore request to
> allow FILE_{READ|WRITE}_{ATTRIBUTES|EA) when computing resulting Unix
> permission/ACL?

Not without examining this code thoroughly first, sorry.

Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Jeremy Allison ha scritto:
> On Wed, Aug 27, 2008 at 11:15:20PM +0200, Abramo Bagnara wrote:
>> Jeremy Allison ha scritto:
>>> On Sat, Aug 16, 2008 at 09:42:51AM +0200, Abramo Bagnara wrote:
>>>> This is exactly what I'd expect...
>>> Hmmm, not what I'd expect :-). I'll have to check into the POSIX
>>> mapping further, been a while since I wrote it. Are you checking
>>> on a system with POSIX ACLs enabled or just straight POSIX permissions ?
>> Any news?
>
> No, haven't got to this yet. One more question, were you setting
> the user or group ACE to '---' or an alternate user or group
> ACE to '---' ?

Leaving only READ_CONTROL (ignored permission) for:

user: lead to r-- permission
group: lead to --- permission
others/Everyone: lead to --- permission
acl user: lead to --- permission
acl group: lead to --- permission

Leaving no permission for:

user: lead to r-- permission
group: lead to --- permission
others/Everyone: lead to --- permission
acl user: lead to ACL removal
acl group: lead to ACL removal

>> Are you willing to accept a patch that make samba to ignore request to
>> > allow FILE_{READ|WRITE}_{ATTRIBUTES|EA) when computing resulting Unix
>> > permission/ACL?
>
> Not without examining this code thoroughly first, sorry.

Please count on my collaboration for whatever you need.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba