Register FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Mon Nov 24, 2014 19:38



Post new topic Reply to topic  [ 8 posts ] 
Problem using and understanding ntfs-3g avanced features 
Author Message

Joined: Tue Jun 30, 2009 17:05
Posts: 5
Post Problem using and understanding ntfs-3g avanced features
hi,

i have some problems understanding how to use ADVANCED NTFS-3G FEATURES

On Windows XP SP3 :
- root rights for D: are "All Users" can do anything
- a folder TEST have been created with rights below :

LOGIN : DIM-UB2\SM1 : All rights but not "All control"
GROUP : ADMINISTRATEURS : All rights
GROUP : SYSTEM : All rights
The owner folder is DIM-UB2\SM1

DIM-UB2 is an AD DOMAIN

On D: root, i have created .NTFS-3G folder with file UserMApping below :

# Generated by usermap for Windows, v 1.1.2
# SM1
1000::S-1-5-21-2140803266-724856210-402028614-1923
# Groupes SYSTEM et Administrateurs
:1000:S-1-5-18
:1000:S-1-5-32-544
::S-1-5-21-2140803266-724856210-402028614-10000

The SID come from command psgetsid.exe (PSTOOLS)

On Linux : Ubuntu 9.04

I have installed ntfs-3g avanced like below :
./configure
make
make install

No error but attr, libattr and libattr-dev was needed

i mount the drive with command : sudo mount -t ntfs-3g /dev/sda5 /media/D
It works.


But i have a problem on linux account (uid 1000 and gid 1000) :

With default umask 0022, a folder created under Linux have under Windows the rights below :

LOGIN : DIM-UB2\SM1 : All rights
GROUP : ADMINISTRATEURS : All rights but not "All control"
GROUP : SYSTEM : All rights but not "All control"
GROUP : ALL USERS : READ and EXEC


With umask 0007, a folder created under Linux have under Windows the rights below :

LOGIN : DIM-UB2\SM1 : All rights
GROUP : ADMINISTRATEURS : All rights but not "All control"
GROUP : SYSTEM : All rights but not "All control"
GROUP : ALL USERS : NOTHING
UNKNOWN SID : READ and EXEC

Is it normal ?
How can i give ONLY the same rights under Linux and Windows ?

THANKS FOR HELP


Mon Aug 10, 2009 17:11
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1161
Post Re: Problem using and understanding ntfs-3g avanced features
Hi

Which Advanced ntfs-3g version are you using, on which kernel ?

Quote:
LOGIN : DIM-UB2\SM1 : All rights but not "All control"
GROUP : ADMINISTRATEURS : All rights
GROUP : SYSTEM : All rights
The owner folder is DIM-UB2\SM1

This is apparently ok, but which is the group of the folder (this is different from groups having rights on the folder). You can get it (on Windows or Linux) by typing : (check the "Group SID" parameter)
Code:
secaudit -vv folder-name

Quote:
# Groupes SYSTEM et Administrateurs
:1000:S-1-5-18
:1000:S-1-5-32-544

These should not be there. All non-users are mapped to root and cannot be mapped to non-root. You should declare group 1000 to match the user group to which user SM1 belongs. Generally the SID ends with 513 (but SM1 is under the control of an AD, and there may be differences).
Quote:
No error but attr, libattr and libattr-dev was needed

Did you configure with option --enable-posix-acls ?

Quote:
LOGIN : DIM-UB2\SM1 : All rights
GROUP : ADMINISTRATEURS : All rights but not "All control"
GROUP : SYSTEM : All rights but not "All control"
GROUP : ALL USERS : READ and EXEC

This looks correct to me. Administrators and system have always full rights, and with umask 022 folders are created with protection 755 (or in Windows parlance owner has all rights and everybody has read and execute)
Quote:
LOGIN : DIM-UB2\SM1 : All rights
GROUP : ADMINISTRATEURS : All rights but not "All control"
GROUP : SYSTEM : All rights but not "All control"
GROUP : ALL USERS : NOTHING
UNKNOWN SID : READ and EXEC

This is also correct, with umask 007, directories are created with rights 750 (in Windows parlance owner has all rights, group has read and execute, and everybody else has nothing). Just note you have not mapped group 1000, so a default SID was used, based on the last line of you mapping file, and of Windows does not know about it, hence you get an "UNKNOWN SID".
Quote:
Is it normal ?

Yes, but you should map the group to which SM1 belongs (and have the same user/group structure on both systems).
Quote:
How can i give ONLY the same rights under Linux and Windows ?

Why are you stressing "only" ? Do you feel you have granted unexpected rights ? Which ones ?
You cannot have the same rights in Linux and Windows in all circumstances. The concepts are different. Windows uses protection inheritance, Linux does not.
You can get Linux to create files with protections inherited the Windows way by mounting with option inherit :
Code:
sudo mount -t ntfs-3g -o inherit /dev/sda5 /media/D

But generally this leads to poor protections on Linux (most file are created with execute permissions...).
Unless you have very specific needs, by mapping the users and groups and setting the umask you get adequate protections.

Regards

Jean-Pierre


Mon Aug 10, 2009 19:01
Profile

Joined: Tue Jun 30, 2009 17:05
Posts: 5
Post Re: Problem using and understanding ntfs-3g avanced features
Hi,

i'am using ntfs-3g-2009.4.4AR.16.tgz on kernel 2.6.28-14-generic

Secaudit -vv gives :


D:\Tools>secaudit.exe -vv D:\SM1-CREE-SOUS-WINDOWS
secaudit 1.3.8 : NTFS security data auditing
Directory D:\SM1-CREE-SOUS-WINDOWS
No SACL
000000 01000494 6c000000 88000000 00000000
000010 14000000 02005800 03000000 00031800
000020 ff011f00 01020000 00000005 20000000
000030 20020000 00032400 ff011f00 01050000
000040 00000005 15000000 c2109a7f 926d342b
000050 4678f617 83070000 00031400 ff011f00
000060 01010000 00000005 12000000 01050000
000070 00000005 15000000 c2109a7f 926d342b
000080 4678f617 83070000 01050000 00000005
000090 15000000 c2109a7f 926d342b 4678f617
0000a0 01020000
Computed hash : 0x5bfbfaf0
Windows attrib : 0x10
Global header
revision 1
flags 0x9404
DACL present
DACL was inherited automatically
DACL cannot be modified by inheritable ACEs
self relative descriptor
Off USID 0x6c
Off GSID 0x88
Off SACL 0x0
Off DACL 0x14
User SID
Local user-1923 SID
hex S-1-5-15-7f9a10c2-2b346d92-17f67846-783
dec S-1-5-21-2140803266-724856210-402028614-1923
Group SID
Local users SID
hex S-1-5-15-7f9a10c2-2b346d92-17f67846-201
dec S-1-5-21-2140803266-724856210-402028614-513
DACL
revision 2
ACL size 88
ACE cnt 3
ACE 1 at 0x1c
type 0
Access allowed
flags 0x3
Object inherits ACE
Container inherits ACE
Size 0x18
Acc rgts 0x1f01ff
Obj specific acc rgts 0x1ff
List directory
Add file
Add subdirectory
Read EA
Write EA
Traverse
Delete child
Read attributes
Write attributes
standard acc rgts 0x1f
Delete
Read control
Write DAC
Write owner
Synchronize
SID at 0x24
Local admins SID
hex S-1-5-20-220
dec S-1-5-32-544
Summary : grant rwx inherited applied
ACE 2 at 0x34
type 0
Access allowed
flags 0x3
Object inherits ACE
Container inherits ACE
Size 0x24
Acc rgts 0x1f01ff
Obj specific acc rgts 0x1ff
List directory
Add file
Add subdirectory
Read EA
Write EA
Traverse
Delete child
Read attributes
Write attributes
standard acc rgts 0x1f
Delete
Read control
Write DAC
Write owner
Synchronize
SID at 0x3c
Local user-1923 SID
hex S-1-5-15-7f9a10c2-2b346d92-17f67846-783
dec S-1-5-21-2140803266-724856210-402028614-1923
Summary : grant rwx inherited applied to owner
ACE 3 at 0x58
type 0
Access allowed
flags 0x3
Object inherits ACE
Container inherits ACE
Size 0x14
Acc rgts 0x1f01ff
Obj specific acc rgts 0x1ff
List directory
Add file
Add subdirectory
Read EA
Write EA
Traverse
Delete child
Read attributes
Write attributes
standard acc rgts 0x1f
Delete
Read control
Write DAC
Write owner
Synchronize
SID at 0x60
NT System SID
hex S-1-5-12
dec S-1-5-18
Summary : grant rwx inherited applied
No SACL
Interpreted Unix owner 1000, group 0, mode 0700
No errors were found

D:\Tools>

###################################################

I do not configure with option --enable-posix-acls

should i do :
./configure --enable-posix-acls
make
make install


I get an UNKNOW SID to map others Unix users with nothing but i don't know if i have well understood this element.

Can you give me the good content of Usermapping ?

Should it be :

# Generated by usermap for Windows, v 1.1.2
# SM1
1000::S-1-5-21-2140803266-724856210-402028614-1923
# Groupes DIM-UB2\Utilisa. du domaine, SYSTEM et Administrateurs
:1000:S-1-5-21-2140803266-724856210-402028614-513
:1000:S-1-5-18
:1000:S-1-5-32-544

I tested it but i'm not satisfied because the group "DIM-UB2\Utilisa. du domaine" should not appear on windows.
It's a security break for us.

So i tested the option -o inherit whith UMASK 0022 and 0007 and the result on windows seems to be good.

LOGIN : DIM-UB2\SM1 : All rights
GROUP : ADMINISTRATEURS : All rights
GROUP : SYSTEM : All rights

And only them.

It's like if the file UserMapping was not read. Is it normal ?

I do not recompile with option --enable-posix-acls

On LINUX rights for folders created with option inherit are below :
rwx------
Is it normal ?


THANKS for HELP


Tue Aug 11, 2009 08:39
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1161
Post Re: Problem using and understanding ntfs-3g avanced features
Hi,

Quote:
Can you give me the good content of Usermapping ?

Should it be :

# Generated by usermap for Windows, v 1.1.2
# SM1
1000::S-1-5-21-2140803266-724856210-402028614-1923
# Groupe DIM-UB2\Utilisa. du domaine, SYSTEM et Administrateurs
:1000:S-1-5-21-2140803266-724856210-402028614-513
:1000:S-1-5-18
:1000:S-1-5-32-544

No : the couple of ending lines are wrong (but they do not harm), you should not declare administrator and system. I suggest you use :
Code:
# SM1
1000::S-1-5-21-2140803266-724856210-402028614-1923
# Groupes DIM-UB2\Utilisa. du domaine
:1000:S-1-5-21-2140803266-724856210-402028614-513
# default
::S-1-5-21-2140803266-724856210-402028614-10000

Quote:
I get an UNKNOW SID to map others Unix users with nothing but i don't know if i have well understood this element.

Are you using other Linux or Windows accounts ? Do they have some relation to user SM1 or group DIM-UB2 ?
Quote:
I tested it but i'm not satisfied because the group "DIM-UB2\Utilisa. du domaine" should not appear on windows.
It's a security break for us.

Actually it appeared on Windows : it is the group of your base directory "D:\SM1-CREE-SOUS-WINDOWS". What you do not want is to grant access to this group. The standard way on Linux to do that is to set umask as 077.
Quote:
should i do :
./configure --enable-posix-acls
make
make install

You probably need not do that (if I understand correctly your needs).
Quote:
It's like if the file UserMapping was not read. Is it normal ?

This is not the case, but with option inherit, you are using the Windows rules for creating files, so the umask is not used. But the UserMapping is still needed for checking access rights on Linux.
Quote:
On LINUX rights for folders created with option inherit are below :
rwx------
Is it normal ?

Yes this is normal. The folder has inherited its rights from its Windows parent directory (full access to owner, no access to group or anybody else - except root which has always full access).
This may be what you want (and recommended if you are mostly using Windows), however by not using inherit and setting umask as 077 you will get the same protections on Windows and better protections on Linux (recommended if you are mostly using Linux).

Regards

Jean-Pierre


Tue Aug 11, 2009 09:31
Profile

Joined: Tue Jun 30, 2009 17:05
Posts: 5
Post Re: Problem using and understanding ntfs-3g avanced features
Hi,

thank you for your help.

can you tel me why and if i need the line :
# default
::S-1-5-21-2140803266-724856210-402028614-10000

Is it necessary ?

I use the UserMapping below :

# SM1
1000::S-1-5-21-2140803266-724856210-402028614-1923
# Groupes DIM-UB2\Utilisa. du domaine
:1000:S-1-5-21-2140803266-724856210-402028614-513
# default
::S-1-5-21-2140803266-724856210-402028614-10000

There is no difference.

The rights with option inherit are :

LOGIN : DIM-UB2\SM1 : All rights
GROUP : ADMINISTRATEURS : All rights
GROUP : SYSTEM : All rights

And it's OK for me.

There is only one user on Linux, but on Windows, different administrators should access to the folder to resolve hotline problems.

Do you think this situation is OK and safe ?

THANKS


Tue Aug 11, 2009 16:04
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1161
Post Re: Problem using and understanding ntfs-3g avanced features
Hi,

Quote:
can you tel me why and if i need the line :
# default
::S-1-5-21-2140803266-724856210-402028614-10000

This will only be used if you create files owned by other users, for example if you "untar" external tar files.
It depends on what you are doing on Linux. Anyway if you feel this is unsafe, just make this line a comment until you are in a situation where you need it.
Quote:
different administrators should access to the folder to resolve hotline problems.

No worry : in all situations, administrators will have full rights on created files.
Quote:
Do you think this situation is OK and safe ?

On Windows, you will be using your current rules, which are as good as... your current rules. On Linux, this is also reasonably safe, but files will generally be created with execution rights, so beware if you download something suspicious.

Regards

Jean-Pierre


Tue Aug 11, 2009 22:18
Profile

Joined: Tue Jun 30, 2009 17:05
Posts: 5
Post Re: Problem using and understanding ntfs-3g avanced features
hi,
thanks for all.
last question : where can i found the man for the advanced options like --inherit ?

Regards


Wed Aug 12, 2009 15:08
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1161
Post Re: Problem using and understanding ntfs-3g avanced features
Hi,

Quote:
where can i found the man for the advanced options like --inherit ?

Inherit is the only option specific to the advanced version. The options to be used according to the needs are detailed in http://pagesperso-orange.fr/b.andre/per ... ml#options I will change the typesetting of the options in the tables and add a couple of examples to make things more clear.

Regards

Jean-Pierre


Wed Aug 12, 2009 20:36
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.