xfs
[Top] [All Lists]

Re: Security issue - storing NTACL's in non-NT-security-namespace

To: Christoph Hellwig <hch@xxxxxxxxxxxxx>
Subject: Re: Security issue - storing NTACL's in non-NT-security-namespace
From: "L.A. Walsh" <samba@xxxxxxxxx>
Date: Fri, 13 Dec 2013 13:32:12 -0800
Cc: Jeremy Allison <jra@xxxxxxxxx>, Samba Technical <samba-technical@xxxxxxxxxxxxxxx>, xfs-oss <xfs@xxxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <20131213105314.GA2117@xxxxxxxxxxxxx>
References: <52A96211.3050602@xxxxxxxxx> <20131212181315.GB20500@samba2> <52AAC7CC.8000802@xxxxxxxxx> <20131213105314.GA2117@xxxxxxxxxxxxx>
User-agent: Thunderbird
On 12/13/2013 2:53 AM, Christoph Hellwig wrote:
On Fri, Dec 13, 2013 at 12:39:40AM -0800, L.A. Walsh wrote:
   Does it have to be under a "namespace" that gets *stripped*
as soon as the file is copied or "mv'd to another
samba share (i.e. the partition it was moved to is shared with the
same permissions as the first one.

Attributes never get "stripped", they simple don't get copied unless
explicit action is taken to do so.  Setting trusted attributes up on a
new file will of course rely privilegues, exactly for the reasons
Jeremy pointed out.
----

Stripping is the default action when copying or moving unless you
take some *non-default* (and unspecified) action, AND providing you
even know they are there..

The same is NOT true for the *real* xfs-ACLS -- which are
copied w/o issue.


Example,

testfile.txt (saved via win7 as a normal user in my Doc dir:
(letter on left is my abbrieviation

 Ishtar:law/Documents> attr -l testfile.txt
U  Attribute "DOSATTRIB" has a 56 byte value for testfile.txt
R  Attribute "SGI_ACL_FILE" has a 64 byte value for testfile.txt
U  Attribute "SAMBA_PAI" has a 31 byte value for testfile.txt
S Attribute "NTACL" has a 328 byte value for testfile.txt
Then copy using "explicit action" (-a) to save extended attributes:

Ishtar:law/Documents> cp -a testfile.txt testcopy.txt
Ishtar:law/Documents> attr -l testcopy.txt
  Attribute "DOSATTRIB" has a 56 byte value for testcopy.txt
  Attribute "SGI_ACL_FILE" has a 64 byte value for testcopy.txt
  Attribute "SAMBA_PAI" has a 31 byte value for testcopy.txt

Now NOTE: if I don't use "explicit action" (-a) in my copy:

Ishtar:law/Documents> /usr/bin/cp testfile.txt testcopy.txt
Ishtar:law/Documents> attr -l testcopy.txt Attribute "SGI_ACL_FILE" has a 76 byte value for testcopy.txt

ONLY the root-namespace ACL is save  -- the user and security
attributes are striped.

If I try "mv"ing the -- on the same volume, I am "fine" (attributes
don't get dropped).

But if I cross a file boundary (to another XFS partition):

Ishtar:law/Documents> mv testfile.txt /Share/CPAN/
  mv: setting attribute âsecurity.NTACLâ for âsecurity.NTACLâ:
      Operation not permitted
Ishtar:law/Documents> attr -l /Share/CPAN/testfile.txt
  Attribute "DOSATTRIB" has a 56 byte value for /Share/CPAN/testfile.txt
  Attribute "SGI_ACL_FILE" has a 64 byte value for
   /Share/CPAN/testfile.txt
  Attribute "SAMBA_PAI" has a 31 byte value for /Share/CPAN/testfile.txt


Only the Security attribute is stripped.  the root namespace is copyable
by a user


Note.  I saw this message for the 1st time, last week (the permission
message on the move).  Do you have any idea what might have caused
such a change?

Did Samba changed namespaces, or is some library refusing to copy this
or maybe a kernel change?



<Prev in Thread] Current Thread [Next in Thread>