On Mon, 11 Nov 2024 20:19:28 +0900 Takashi Yano via Cygwin <cygwin@cygwin.com> wrote: > On Mon, 11 Nov 2024 11:56:13 +0100 > Corinna Vinschen wrote: > > > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc > > > index d5e39d281..c519af6e0 100644 > > > --- a/winsup/cygwin/sec/base.cc > > > +++ b/winsup/cygwin/sec/base.cc > > > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret) > > > ace->Header.AceFlags)) > > > return; > > > } > > > + /* Samba without AD seems to need this. */ > > > + add_access_allowed_ace (acl, FILE_ALL_ACCESS, > > > + well_known_authenticated_users_sid, acl_len, 0); > > > acl->AclSize = acl_len; > > > > > > RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION); > > > > > > What do you think? > > > > Giving all authenticated users full permissions to all your files? > > Unconditionally? That sounds like opening a security hole wide open. > > Does this really mean such thing? Windows 11 share reports here, > access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?
Even with this patch, the file: yano $ touch samba_test_file.txt yano $ ls -l samba_test_files.txt -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt cannot be written by other users: someone $ echo BBBB > samba_test_files.txt samba_test_files.txt: Permission denied. -- Takashi Yano <takashi.y...@nifty.ne.jp> -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
