'[Netatalk-devel] Re: security issue, netatalk 1.5rc2 (and/or MacOS)?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netatalk-devel
Subject:    [Netatalk-devel] Re: security issue, netatalk 1.5rc2 (and/or MacOS)?
From:       Rick Zeman <rzeman () his ! com>
Date:       2001-12-21 16:12:54
[Download RAW message or body]

On 12/21/01 6:10 AM, "Lorenzo Perone" <lopez.on.the.lists@yellowspace.net>
wrote:

This is what I was told:

> Ok, I think I understand what you are talking about.  This has already
> been reported as a bug against OS 10.1.  In that version, Finder has
> changed its behavior on copying folders so that group and world
> privileges get opened to rwx.  This was done deliberately by Finder and
> in hindsight was a bad thing to do.  Finder team is currently working
> with our security team to use a better method.  Sorry about that.

___________________________________


> Let apart, for a second, the rights-scandal that Apple has produced in OSX
> 10.1
> (just because we can't change this, yet we can hope that L.W. is monitoring
> this thread!)
> 
> Still, I don't actually get why,
> with netatalk 1.5rc2, __OS9.1__ clients don't keep the sticky bit on...
> 
> I just re-verified it across netatalk versions.
> 
> Parent folder within share: of the kind drwxrws--x
> 
> ### with netatalk-1.5rc2:
> A new folder, as well as a duplicate folder, produce folders like this:
> (like samba without the force directory and file modes options...):
> 
> drwxrwx---
> 
> so all files and dirs created within the copied folder will have the user's
> primary group instead of inheriting the share's group.
> 
> ### with netatalk-1.4+asun2.1.4_pre37_test,
> the rights of the new folder are completely correct (from my point of
> view...):
> 
> drwxrws--x
> 
> ### with netatalk-1.5pre38
> the rights of the new folder are like this:
> 
> drwxrws---
> 
> (so the execute bit is missing, which is not as tragical as the missing sticky
> bit...)
> 
> Please help us out of this from the netatalk side!
> (Per-share dir and file modes options....?)
> 
> 
> Lorenzo
> 
> 
> At 10:11 Uhr -0500 20.12.2001, Rick Zeman wrote:
>> On 12/20/01 9:30 AM, "Lorenzo Perone" <lopez.on.the.lists@yellowspace.net>
>> wrote:
>> 
>>> Since the update to rc2:
>>> environment: parent directories and share directories with the following
>>> rights:
>>> drwxrws--x
>>> 
>>> ### the following happens with _client: OS X 10.1.1_:
>>> 
>>> when making a new folder inside of such a directory over th Finder,
>>> I get a new one with the following rights on the server:
>>> 
>>> drwxrwxr-x (others get read access, and group loses sticky bit)
>>> 
>>> worse yet, if I take an existing folder (drwxrws--x ) and duplicate it in
>>> the
>>> Finder,
>>> I get one with
>>> 
>>> drwxrwxrwx !! (as well as all the files inside, all -rwxrwxrwx)
>>> 
>>> ### The following happens with  _client: OS 9.1_:
>>> 
>>> when making a new folder:
>>> 
>>> drwxrwx--- (others lose execute, group loses sticky bit)
>>> 
>>> duplicate it in the Finder makes the same as a new one on OS9.
>> 
>> That's actually a design FEATURE in 10.1!!!  I freaked out over this a month
>> ago when I discovered it going from 10.1.1 to a Netware 5 server running the
>> AFPTCP.nlm and sent some emails off to some people at Apple and Novell.
>> Since it didn't affect the netatalk 1.4b2 that was being used or 9.x on the
>> client end, I'd (wrongly) assumed that it was a Novell problem.
>> I didn't hear WHY Apple consciously made that decision in 10.1, only that
>> they regretted it and are working with their security people to ensure that
>> it was changed correctly.
>> 
>> It only affects folder creation (and its contents), not file-only creation.
>> Basically, all new folders and their contents become world readable and
>> writeable no matter what the parent folders permissions are, as you saw.
>> 
>> In Netware parlance, an explicit trustee of ROOT was added with full perms
>> so any user, or any object in the NDS tree had full access to those files.
>> Horrible.
>> 
>> 
>> --
>> "So Long, and Thanks For All the Fish."
>>       --Douglas Adams
>>          1952-2001
> 
> 

-- 
"So Long, and Thanks For All the Fish."
       --Douglas Adams
          1952-2001


_______________________________________________
Netatalk-devel mailing list
Netatalk-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/netatalk-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic