Re: Security issue - storing NTACL's in non-NT-security-namespace

From: "L.A. Walsh" <samba@tlinx.org>
To: Christoph Hellwig <hch@infradead.org>
Cc: Samba Technical <samba-technical@lists.samba.org>,
	Jeremy Allison <jra@samba.org>, xfs-oss <xfs@oss.sgi.com>
Subject: Re: Security issue - storing NTACL's in non-NT-security-namespace
Date: Fri, 13 Dec 2013 13:32:12 -0800	[thread overview]
Message-ID: <52AB7CDC.5040801@tlinx.org> (raw)
In-Reply-To: <20131213105314.GA2117@infradead.org>

On 12/13/2013 2:53 AM, Christoph Hellwig wrote:
> On Fri, Dec 13, 2013 at 12:39:40AM -0800, L.A. Walsh wrote:
>   
>>    Does it have to be under a "namespace" that gets *stripped*
>> as soon as the file is copied or "mv'd to another
>> samba share (i.e. the partition it was moved to is shared with the
>> same permissions as the first one.
>>     
>
> Attributes never get "stripped", they simple don't get copied unless
> explicit action is taken to do so.  Setting trusted attributes up on a
> new file will of course rely privilegues, exactly for the reasons
> Jeremy pointed out.
>   
----

Stripping is the default action when copying or moving unless you
take some *non-default* (and unspecified) action, AND providing you
even know they are there..

The same is NOT true for the *real* xfs-ACLS -- which are
copied w/o issue.

Example,

testfile.txt (saved via win7 as a normal user in my Doc dir:
(letter on left is my abbrieviation

  Ishtar:law/Documents> attr -l testfile.txt
U  Attribute "DOSATTRIB" has a 56 byte value for testfile.txt
R  Attribute "SGI_ACL_FILE" has a 64 byte value for testfile.txt
U  Attribute "SAMBA_PAI" has a 31 byte value for testfile.txt
S  Attribute "NTACL" has a 328 byte value for testfile.txt      

Then copy using "explicit action" (-a) to save extended attributes:

 Ishtar:law/Documents> cp -a testfile.txt testcopy.txt
 Ishtar:law/Documents> attr -l testcopy.txt
   Attribute "DOSATTRIB" has a 56 byte value for testcopy.txt
   Attribute "SGI_ACL_FILE" has a 64 byte value for testcopy.txt
   Attribute "SAMBA_PAI" has a 31 byte value for testcopy.txt

Now NOTE: if I don't use "explicit action" (-a) in my copy:

 Ishtar:law/Documents> /usr/bin/cp testfile.txt testcopy.txt
 Ishtar:law/Documents> attr -l testcopy.txt                
   Attribute "SGI_ACL_FILE" has a 76 byte value for testcopy.txt

ONLY the root-namespace ACL is save  -- the user and security
attributes are striped.

If I try "mv"ing the -- on the same volume, I am "fine" (attributes
don't get dropped).

But if I cross a file boundary (to another XFS partition):

 Ishtar:law/Documents> mv testfile.txt /Share/CPAN/
   mv: setting attribute ‘security.NTACL’ for ‘security.NTACL’:
       Operation not permitted
 Ishtar:law/Documents> attr -l /Share/CPAN/testfile.txt
   Attribute "DOSATTRIB" has a 56 byte value for /Share/CPAN/testfile.txt
   Attribute "SGI_ACL_FILE" has a 64 byte value for
    /Share/CPAN/testfile.txt
   Attribute "SAMBA_PAI" has a 31 byte value for /Share/CPAN/testfile.txt

Only the Security attribute is stripped.  the root namespace is copyable
by a user

Note.  I saw this message for the 1st time, last week (the permission
message on the move).  Do you have any idea what might have caused
such a change?

Did Samba changed namespaces, or is some library refusing to copy this
or maybe a kernel change?

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs