Hi Simo, Thank you for your reply.
I actually did a little test in which I have two users U1 and U2. I have a path \\dir1\dir2 in which I gave access only to administrator (whom mapped to 0) to dir1 and I gave U1 full control to dir2. Now I made a share mapping to \\dir1\dir2. With SAMBA code "as is" not U1 nor U2 can access the share. With my little patch as I described before U1 can access the share while U2 can't which is exactly my expectation. Also this is how my "windows" customers can be setup for running home directories. Our customers are too much "windows" oriented and prefer setting files securities (Acls) via what they know best which is file properties and less via smb.conf in which we are the champions... Also, they told me that they typically creating some kind of an "admin" share to the root of the file system in which only restricted users and group can have access and then they create all their wonderful folders and stuff in which they use ACLs to manipulate access. So they create different shares pointing to different paths in the file system but since the "admin" share that point to the root gave access only to administrator for example, that's how they run into the problem with our SAMBA. So far I can't see it as a problem. Cheers, Ephi -----Original Message----- From: simo [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 11:41 AM To: Jeremy Allison Cc: Ephi Dror; [email protected] Subject: Re: [Samba] User can't access a share that he has full control of On Mon, 2006-08-21 at 11:12 -0700, Jeremy Allison wrote: > > 3. If I do this change for our customers, is there any security > > issue here that I haven't thought about? > > Yes, it's a security hole (IMHO). It completely bypasses security for > a path. There might be things an attacker could do with this (don't > have time right now to think up evil scenarious but I'm sure there are > some :-). An easy example is accessing other users home directories where the user target has a 700 permission on his home directory specifically set to keep out other users. It is a common scenario on unix environments. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
