Re: [PATCH] Making shares unaccessible at root level mountable (aka solving bsc#8950 ...again)

["Aurélien Aptel" <aaptel-IBi9RG/b67k@public.gmane.org>]

[-- Attachment #1.1: Type: text/plain, Size: 957 bytes --]

Small update: I've written a powershell script to reproduce the problem
(attached). If you're wondering I'm not using samba see my notes
about it [1].

On the window server:
- Edit $Dir (script will create parent dirs)
- Edit $LimitedUser/$AdminUser to an existing one
- Run the script as admin

On the linux client:
- Mount the share sub dir with the limited user credentials:
  mount //lutze/bug8950/sub/dir' /mnt \
        -o 'domain=LURCH,ip=10.160.5.42,username=bill,password=*****,rw'

My second solution fails for the case when the dir *containing* the
shared dir restricts the limited user. See "HARD MODE" at the end
of the script.

1: http://diobla.info/stuff/bugs/bsc799133/#sec-4

-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG
Nürnberg)

[-- Attachment #1.2: repro-8950.ps1 --]
[-- Type: application/octet-stream, Size: 1497 bytes --]

#REQUIRES -Version 3.0

#
# powershell script to reproduce #8950
#

# On the server:
# - Edit $Dir (script will create parent dirs)
# - Edit $LimitedUser to an existing one
# - Run the script

# On the linux client:
# - Mount the share sub dir with the limited user credentials:
#   mount //lutze/bug8950/sub/dir' /mnt \
#         -o 'domain=LURCH,ip=10.160.5.42,username=bill,password=*****,rw'


$Dir = "C:\shares\bug8950\share"
$Dir1 = "sub"
$Dir2 = "dir"
$LimitedUser = "LURCH\bill"
$AdminUser = "LURCH\Administrator"
$Share = "bug8950"

$SubDir = $Dir + "\" + $Dir1 + "\" + $Dir2


if (Test-Path $Dir) {
    Remove-SMBShare -Name $Share -Force
    icacls.exe $Dir /grant:r   "$($AdminUser):(F)"
    icacls.exe $Dir /grant:r   "$($AdminUser):(F)" /T
    Get-ChildItem -Recurse -Path $Dir | Remove-Item -Recurse -Force
    Remove-Item -Recurse -Force $Dir
}

New-Item $SubDir -Type directory -Force
"blahblabh" > $SubDir\file.txt
New-SMBShare -Name $Share -Path $Dir



icacls.exe $Dir /deny    "$($LimitedUser):(F)"
icacls.exe $Dir /grant:r   "$($AdminUser):(F)"

icacls.exe $Dir\$Dir1 /deny    "$($LimitedUser):(F)"
icacls.exe $Dir\$Dir1 /grant:r   "$($AdminUser):(F)"

icacls.exe $SubDir /grant:r "$($LimitedUser):(F)"
icacls.exe $SubDir /grant:r   "$($AdminUser):(F)"
icacls.exe $Dir /inheritance:r /T

# HARD MODE make mounting work with this:
icacls.exe $Dir\.. /remove  $LimitedUser
icacls.exe $Dir\.. /deny    "$($LimitedUser):(F)"

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]