Re: share permissions

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2010-09-29 John Wright wrote:
> I myself favor the super mega paranoid practice, but as an alterative
> to setting smb permissions to everyone/full-access, you could give
> full access to Authenticated Users, per the best practice suggestion
> in this article:
> http://www.windowsecurity.com/articles/Share-Permissions.html

That's an option, but even "Everyone" isn't as bad as it used to be,
since Microsoft removed anonymous access from that group when XP/2003
was released.

> Incidentally, can anyone confirm that effective SMB permissions are an
> AND operation (e.g. effective write permission only results when every
> group specified in the ACL of which the user is a member has write
> permission)?

That is not the case. Permit ACLs are OR'd (i.e. you're granted access
if at least one of your groups has "allow" permissions). Deny ACLs are
ANDed (i.e. you're denied access if at least one of your groups has
"deny" permissions).

> I know that the user should be a member of only one group specified in
> the ACL for a share

Why?

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------