From: "Aurélien Aptel" <aaptel-IBi9RG/b67k@public.gmane.org>
To: linux-cifs <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org,
Steve French <smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Marcus Hoffmann
<marcus.hoffmann-j/7cz5qe3tpn68oJJulU0Q@public.gmane.org>
Subject: Re: [PATCH] Making shares unaccessible at root level mountable (aka solving bsc#8950 ...again)
Date: Thu, 9 Jun 2016 18:50:27 +0200 [thread overview]
Message-ID: <20160609185027.7349f260@aaptelpc> (raw)
In-Reply-To: <20160527194346.08416d79@aaptelpc>
[-- Attachment #1.1: Type: text/plain, Size: 957 bytes --]
Small update: I've written a powershell script to reproduce the problem
(attached). If you're wondering I'm not using samba see my notes
about it [1].
On the window server:
- Edit $Dir (script will create parent dirs)
- Edit $LimitedUser/$AdminUser to an existing one
- Run the script as admin
On the linux client:
- Mount the share sub dir with the limited user credentials:
mount //lutze/bug8950/sub/dir' /mnt \
-o 'domain=LURCH,ip=10.160.5.42,username=bill,password=*****,rw'
My second solution fails for the case when the dir *containing* the
shared dir restricts the limited user. See "HARD MODE" at the end
of the script.
1: http://diobla.info/stuff/bugs/bsc799133/#sec-4
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG
Nürnberg)
[-- Attachment #1.2: repro-8950.ps1 --]
[-- Type: application/octet-stream, Size: 1497 bytes --]
#REQUIRES -Version 3.0
#
# powershell script to reproduce #8950
#
# On the server:
# - Edit $Dir (script will create parent dirs)
# - Edit $LimitedUser to an existing one
# - Run the script
# On the linux client:
# - Mount the share sub dir with the limited user credentials:
# mount //lutze/bug8950/sub/dir' /mnt \
# -o 'domain=LURCH,ip=10.160.5.42,username=bill,password=*****,rw'
$Dir = "C:\shares\bug8950\share"
$Dir1 = "sub"
$Dir2 = "dir"
$LimitedUser = "LURCH\bill"
$AdminUser = "LURCH\Administrator"
$Share = "bug8950"
$SubDir = $Dir + "\" + $Dir1 + "\" + $Dir2
if (Test-Path $Dir) {
Remove-SMBShare -Name $Share -Force
icacls.exe $Dir /grant:r "$($AdminUser):(F)"
icacls.exe $Dir /grant:r "$($AdminUser):(F)" /T
Get-ChildItem -Recurse -Path $Dir | Remove-Item -Recurse -Force
Remove-Item -Recurse -Force $Dir
}
New-Item $SubDir -Type directory -Force
"blahblabh" > $SubDir\file.txt
New-SMBShare -Name $Share -Path $Dir
icacls.exe $Dir /deny "$($LimitedUser):(F)"
icacls.exe $Dir /grant:r "$($AdminUser):(F)"
icacls.exe $Dir\$Dir1 /deny "$($LimitedUser):(F)"
icacls.exe $Dir\$Dir1 /grant:r "$($AdminUser):(F)"
icacls.exe $SubDir /grant:r "$($LimitedUser):(F)"
icacls.exe $SubDir /grant:r "$($AdminUser):(F)"
icacls.exe $Dir /inheritance:r /T
# HARD MODE make mounting work with this:
icacls.exe $Dir\.. /remove $LimitedUser
icacls.exe $Dir\.. /deny "$($LimitedUser):(F)"
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-06-09 16:50 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-27 17:43 [PATCH] Making shares unaccessible at root level mountable (aka solving bsc#8950 ...again) Aurélien Aptel
2016-06-09 16:50 ` Aurélien Aptel [this message]
2016-06-09 19:27 ` Marcus Hoffmann
[not found] ` <5759C326.5040508-j/7cz5qe3tpn68oJJulU0Q@public.gmane.org>
2016-06-10 15:16 ` Aurélien Aptel
2016-06-12 18:01 ` Marcus Hoffmann
2016-07-01 15:44 ` Marcus Hoffmann
[not found] ` <57768FC3.7020102-j/7cz5qe3tpn68oJJulU0Q@public.gmane.org>
2016-07-01 16:02 ` Steve French
2016-07-02 7:02 ` Pavel Shilovsky
[not found] ` <CAKywueRMvJ4B6ojqA1TduS4nGFTr5m4wLO2=0M_EVv=vw2T1pw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-18 14:38 ` Aurélien Aptel
2016-07-19 19:21 ` Pavel Shilovsky
[not found] ` <CAKywueRFMu9nvwi_01Yz0HpOqhrK2yZVaLT2JMqw4622irQzNw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-20 10:57 ` Aurélien Aptel
2016-07-20 12:16 ` Aurélien Aptel
2016-07-20 18:28 ` Pavel Shilovsky
[not found] ` <CAKywueTOSD0G1k+EU-Qo_9D7S5bBw6g6T=dbQpWYWdOhr5Lsrg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-26 18:04 ` Steve French
[not found] ` <CAH2r5mviretFGDaHOre8BiZLmKhqwnfv9sdaiqoAG1xahbVjKA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-26 19:10 ` Pavel Shilovsky
[not found] ` <CAKywueR7K5OR7+NnzEtqpWGR0gApoR3X0Y6C6ACzTf1y7JOcsA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-28 5:02 ` Steve French
[not found] ` <CAH2r5mtiZNDyeRe_rYy4Pcg1WhbGaZtdweM=p8fG1uc0xZcAeg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-28 8:28 ` Aurélien Aptel
2016-07-29 13:11 ` Sachin Prabhu
[not found] ` <1469797864.14723.15.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-07-29 13:31 ` Sachin Prabhu
[not found] ` <1469799107.14723.18.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-07-29 20:20 ` Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160609185027.7349f260@aaptelpc \
--to=aaptel-ibi9rg/b67k@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=marcus.hoffmann-j/7cz5qe3tpn68oJJulU0Q@public.gmane.org \
--cc=samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org \
--cc=smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox