On Nov 19 17:58, Takashi Yano via Cygwin wrote:
> On Mon, 18 Nov 2024 17:26:12 +0100
> Corinna Vinschen wrote:
> > We can safely assume that the current user is already authorized on the
> > SMB server. So... shouldn't AuthzInitializeResourceManager be
> > sufficient and the code from class authz_ctx already does what we want?
> > We may just have to use in in place of calling NtCheckAccess(),
> > maybe with a tweak or two...
>
> I already tried AuthzInitializeResourceManager(), but the result
> was the same with current implementation...
So you tried to call authz_get_user_attribute()?
> BTW, I come up with another implementation. This make the things
> much simpler. What do you think of the patch attached?
> [...]
> int
> check_file_access (path_conv &pc, int flags, bool effective)
> {
> @@ -711,10 +618,14 @@ check_file_access (path_conv &pc, int flags, bool
> effective)
> desired |= FILE_EXECUTE;
> if (!get_file_sd (pc.handle (), pc, sd, false))
> {
> - /* Tweak Samba security descriptor as necessary. */
> - if (pc.fs_is_samba ())
> - convert_samba_sd (sd);
> - ret = check_access (sd, file_mapping, desired, flags, effective);
> + HANDLE h = CreateFileW (pc.get_nt_native_path ()->Buffer, desired,
> + 0, NULL, OPEN_EXISTING,
> + FILE_FLAG_BACKUP_SEMANTICS, NULL);
> + if (h != INVALID_HANDLE_VALUE)
> + {
> + CloseHandle (h);
> + ret = 0;
> + }
> }
> debug_printf ("flags %y, ret %d", flags, ret);
> return ret;
No, we can't do that, it's too simple.
Just kidding.
This is so simple, I'm puzzled we never tried that before. Or, if we
did, it's a loooong time ago...
If we really do this, we don't even need to call get_file_sd(). And it
should use NtOpenFile and reopen semantics i.e. pc.init_reopen_attr().
Also, the sharing flags should allow all access. And the `effective'
argument needs to be taken into account.
I wonder what side effects this has, but I can't think of any...
And I don't see any way around that, actually. {Nt}AccessCheck
as well as AuthzAccessCheck(*) use a token/sid context and compare
that against a security descriptor. Both don't care where the
SD is coming from, so the fact that this is coming from an
authenticated connection to a remote SMB server is just lost on them.
There's no simple CheckFileAccess function in the Windows API I'm
aware of :(
Thanks,
Corinna
(*) I wonder if AuthzAccessCheck isn't implemented using NtAccessCheck
under the hood...
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
