* setcifsacl: Shouldn't 0x0 be a valid mask?
@ 2021-09-23 15:55 Bruno Wolff III
2021-09-23 16:15 ` Steve French
0 siblings, 1 reply; 6+ messages in thread
From: Bruno Wolff III @ 2021-09-23 15:55 UTC (permalink / raw)
To: linux-cifs
I was looking at using S-1-2-3-4 to take away rights via ownership and
granting no access (but not denying it either) makes sense as access
is granted via group membership. Microsofts documentation seems to
suggest the a 0x0 mask is valid.
Quote from
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd125370(v=ws.10)?redirectedfrom=MSDN
"When you add the Owner Rights security principal to objects, you can
specify what permissions are given to the owner of an object. For example
you can specify in the access control entry (ACE) of an object that the
owner of a particular object is given Read permissions or you can specify
NULL permissions to an object, which grants the owner of the object no
permissions."
Here is example output:
# setcifsacl -a "ACL:S-1-2-3-4:0x0/0x0/0x0" bruno-test
verify_ace_mask: Invalid mask 0x0 (value 0x0)
Besides the owner rights case, I think this might also make sense in an ACL
to break inheritence, though in that case there might be other ways to
do that.
Unless having a 0x0 mask actually breaks things, it doesn't seem that
it is a good idea to prohibit it.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: setcifsacl: Shouldn't 0x0 be a valid mask?
2021-09-23 16:15 ` Steve French
@ 2021-09-23 16:10 ` Bruno Wolff III
2021-09-23 16:35 ` Bruno Wolff III
2021-09-23 19:38 ` Bruno Wolff III
2 siblings, 0 replies; 6+ messages in thread
From: Bruno Wolff III @ 2021-09-23 16:10 UTC (permalink / raw)
To: Steve French; +Cc: CIFS
On Thu, Sep 23, 2021 at 11:15:26 -0500,
Steve French <smfrench@gmail.com> wrote:
>Do you have an example of doing the same thing via
>
>"smbcacls" (from Linux) or "icacls" (or cacls.exe) from Windows?
Not yet. I'll see if I can get an example quickly.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: setcifsacl: Shouldn't 0x0 be a valid mask?
2021-09-23 15:55 setcifsacl: Shouldn't 0x0 be a valid mask? Bruno Wolff III
@ 2021-09-23 16:15 ` Steve French
2021-09-23 16:10 ` Bruno Wolff III
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Steve French @ 2021-09-23 16:15 UTC (permalink / raw)
To: Bruno Wolff III; +Cc: CIFS
Do you have an example of doing the same thing via
"smbcacls" (from Linux) or "icacls" (or cacls.exe) from Windows?
On Thu, Sep 23, 2021 at 11:14 AM Bruno Wolff III <bruno@wolff.to> wrote:
>
> I was looking at using S-1-2-3-4 to take away rights via ownership and
> granting no access (but not denying it either) makes sense as access
> is granted via group membership. Microsofts documentation seems to
> suggest the a 0x0 mask is valid.
> Quote from
> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd125370(v=ws.10)?redirectedfrom=MSDN
> "When you add the Owner Rights security principal to objects, you can
> specify what permissions are given to the owner of an object. For example
> you can specify in the access control entry (ACE) of an object that the
> owner of a particular object is given Read permissions or you can specify
> NULL permissions to an object, which grants the owner of the object no
> permissions."
>
> Here is example output:
> # setcifsacl -a "ACL:S-1-2-3-4:0x0/0x0/0x0" bruno-test
> verify_ace_mask: Invalid mask 0x0 (value 0x0)
>
> Besides the owner rights case, I think this might also make sense in an ACL
> to break inheritence, though in that case there might be other ways to
> do that.
>
> Unless having a 0x0 mask actually breaks things, it doesn't seem that
> it is a good idea to prohibit it.
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: setcifsacl: Shouldn't 0x0 be a valid mask?
2021-09-23 16:15 ` Steve French
2021-09-23 16:10 ` Bruno Wolff III
@ 2021-09-23 16:35 ` Bruno Wolff III
2021-09-23 19:38 ` Bruno Wolff III
2 siblings, 0 replies; 6+ messages in thread
From: Bruno Wolff III @ 2021-09-23 16:35 UTC (permalink / raw)
To: Steve French; +Cc: CIFS
On Thu, Sep 23, 2021 at 11:15:26 -0500,
Steve French <smfrench@gmail.com> wrote:
>Do you have an example of doing the same thing via
>
>"smbcacls" (from Linux) or "icacls" (or cacls.exe) from Windows?
smbcacls seems to also not allow 0x0 for the permissions part of the ACL.
I'll see if I can check on cacls.exe.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: setcifsacl: Shouldn't 0x0 be a valid mask?
2021-09-23 16:15 ` Steve French
2021-09-23 16:10 ` Bruno Wolff III
2021-09-23 16:35 ` Bruno Wolff III
@ 2021-09-23 19:38 ` Bruno Wolff III
[not found] ` <CAH2r5msf525KHBUTgiTMFwzm=Wk_0vGeHuWFia1ijBETSvG4Ew@mail.gmail.com>
2 siblings, 1 reply; 6+ messages in thread
From: Bruno Wolff III @ 2021-09-23 19:38 UTC (permalink / raw)
To: Steve French; +Cc: CIFS
On Thu, Sep 23, 2021 at 11:15:26 -0500,
Steve French <smfrench@gmail.com> wrote:
>Do you have an example of doing the same thing via
>
>"smbcacls" (from Linux) or "icacls" (or cacls.exe) from Windows?
I'm still trying to get the correct syntax for icacls, but when I
used a GUI I was able to add an ACL with no access which icacls
will display:
PS C:\Users\bruno-a> icacls forwards
forwards OWNER RIGHTS:
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
AD\bruno-a:(I)(F)
Successfully processed 1 files; Failed processing 0 files
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: setcifsacl: Shouldn't 0x0 be a valid mask?
[not found] ` <CAH2r5msf525KHBUTgiTMFwzm=Wk_0vGeHuWFia1ijBETSvG4Ew@mail.gmail.com>
@ 2021-09-23 20:48 ` Bruno Wolff III
0 siblings, 0 replies; 6+ messages in thread
From: Bruno Wolff III @ 2021-09-23 20:48 UTC (permalink / raw)
To: Steve French; +Cc: CIFS
I changed a file in a place I could mount remotely and getcifsacl is
showing a permision mask of 0. So it does look like it is possible
to get them in NTFS.
# getcifsacl test-bruno
# filename: test-bruno
REVISION:0x1
CONTROL:0x8404
OWNER:S-1-5-21-1229272821-630328440-682003330-2408
GROUP:S-1-5-21-1229272821-630328440-682003330-513
DACL:
ACL:S-1-3-4:ALLOWED/0x0/
ACL:S-1-5-18:ALLOWED/I/FULL
ACL:S-1-5-32-544:ALLOWED/I/FULL
No SACL
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-09-23 21:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-23 15:55 setcifsacl: Shouldn't 0x0 be a valid mask? Bruno Wolff III
2021-09-23 16:15 ` Steve French
2021-09-23 16:10 ` Bruno Wolff III
2021-09-23 16:35 ` Bruno Wolff III
2021-09-23 19:38 ` Bruno Wolff III
[not found] ` <CAH2r5msf525KHBUTgiTMFwzm=Wk_0vGeHuWFia1ijBETSvG4Ew@mail.gmail.com>
2021-09-23 20:48 ` Bruno Wolff III
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).