[prev in list] [next in list] [prev in thread] [next in thread]
List: netatalk-devel
Subject: [Netatalk-devel] Re: security issue, netatalk 1.5rc2 (and/or MacOS)?
From: Rick Zeman <rzeman () his ! com>
Date: 2001-12-21 16:12:54
[Download RAW message or body]
On 12/21/01 6:10 AM, "Lorenzo Perone" <lopez.on.the.lists@yellowspace.net>
wrote:
This is what I was told:
> Ok, I think I understand what you are talking about. This has already
> been reported as a bug against OS 10.1. In that version, Finder has
> changed its behavior on copying folders so that group and world
> privileges get opened to rwx. This was done deliberately by Finder and
> in hindsight was a bad thing to do. Finder team is currently working
> with our security team to use a better method. Sorry about that.
___________________________________
> Let apart, for a second, the rights-scandal that Apple has produced in OSX
> 10.1
> (just because we can't change this, yet we can hope that L.W. is monitoring
> this thread!)
>
> Still, I don't actually get why,
> with netatalk 1.5rc2, __OS9.1__ clients don't keep the sticky bit on...
>
> I just re-verified it across netatalk versions.
>
> Parent folder within share: of the kind drwxrws--x
>
> ### with netatalk-1.5rc2:
> A new folder, as well as a duplicate folder, produce folders like this:
> (like samba without the force directory and file modes options...):
>
> drwxrwx---
>
> so all files and dirs created within the copied folder will have the user's
> primary group instead of inheriting the share's group.
>
> ### with netatalk-1.4+asun2.1.4_pre37_test,
> the rights of the new folder are completely correct (from my point of
> view...):
>
> drwxrws--x
>
> ### with netatalk-1.5pre38
> the rights of the new folder are like this:
>
> drwxrws---
>
> (so the execute bit is missing, which is not as tragical as the missing sticky
> bit...)
>
> Please help us out of this from the netatalk side!
> (Per-share dir and file modes options....?)
>
>
> Lorenzo
>
>
> At 10:11 Uhr -0500 20.12.2001, Rick Zeman wrote:
>> On 12/20/01 9:30 AM, "Lorenzo Perone" <lopez.on.the.lists@yellowspace.net>
>> wrote:
>>
>>> Since the update to rc2:
>>> environment: parent directories and share directories with the following
>>> rights:
>>> drwxrws--x
>>>
>>> ### the following happens with _client: OS X 10.1.1_:
>>>
>>> when making a new folder inside of such a directory over th Finder,
>>> I get a new one with the following rights on the server:
>>>
>>> drwxrwxr-x (others get read access, and group loses sticky bit)
>>>
>>> worse yet, if I take an existing folder (drwxrws--x ) and duplicate it in
>>> the
>>> Finder,
>>> I get one with
>>>
>>> drwxrwxrwx !! (as well as all the files inside, all -rwxrwxrwx)
>>>
>>> ### The following happens with _client: OS 9.1_:
>>>
>>> when making a new folder:
>>>
>>> drwxrwx--- (others lose execute, group loses sticky bit)
>>>
>>> duplicate it in the Finder makes the same as a new one on OS9.
>>
>> That's actually a design FEATURE in 10.1!!! I freaked out over this a month
>> ago when I discovered it going from 10.1.1 to a Netware 5 server running the
>> AFPTCP.nlm and sent some emails off to some people at Apple and Novell.
>> Since it didn't affect the netatalk 1.4b2 that was being used or 9.x on the
>> client end, I'd (wrongly) assumed that it was a Novell problem.
>> I didn't hear WHY Apple consciously made that decision in 10.1, only that
>> they regretted it and are working with their security people to ensure that
>> it was changed correctly.
>>
>> It only affects folder creation (and its contents), not file-only creation.
>> Basically, all new folders and their contents become world readable and
>> writeable no matter what the parent folders permissions are, as you saw.
>>
>> In Netware parlance, an explicit trustee of ROOT was added with full perms
>> so any user, or any object in the NDS tree had full access to those files.
>> Horrible.
>>
>>
>> --
>> "So Long, and Thanks For All the Fish."
>> --Douglas Adams
>> 1952-2001
>
>
--
"So Long, and Thanks For All the Fish."
--Douglas Adams
1952-2001
_______________________________________________
Netatalk-devel mailing list
Netatalk-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/netatalk-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic