You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cls = <class 'fs.smbfs.smbfs.SMBFS'>, sd = <smb.security_descriptors.SecurityDescriptor object at 0x04DDD7F0>
@classmethod
def _make_access_from_sd(cls, sd):
...
> other_ace = next(ace for ace in sd.dacl.aces
if str(ace.sid).startswith(smb.security_descriptors.SID_EVERYONE))
E StopIteration
I know the file that _make_access_from_sd is choking on, so I dug in and examined it more deeply using pysmb. The problem appears to be that the "everyone" SID does not correspond to any of the file's ACEs. In fact, of the ACEs that _make_access_from_sd checks for, in my particular case only the "owner" ACE exists:
In [10]: smb.security_descriptors.SID_EVERYONEOut[10]: 'S-1-1-0'In [11]: conn.getSecurity('test', 'foo.txt').ownerOut[11]: SID('S-1-5-21-3526669579-2242266465-3136906013-1006')
In [12]: conn.getSecurity('test', 'foo.txt').groupOut[12]: SID('S-1-5-21-3526669579-2242266465-3136906013-513')
In [8]: [a.sidforainconn.getSecurity('test', 'foo.txt').dacl.aces]
Out[8]:
[SID('S-1-5-18'),
SID('S-1-5-32-544'),
SID('S-1-5-32-545'),
SID('S-1-5-21-3526669579-2242266465-3136906013-1006')]
The text was updated successfully, but these errors were encountered:
_make_access_from_sd makes a hard assumption that the "everyone" ACE exists. One way to fix this would be to explicitly check for the existence of each of the relevant ACEs (ie "everyone", "owner", and "group") separately. If one of these ACEs does not exist, you would then interpret the corresponding Posix-like permission as none or empty.
I think this would also be more correct than the current behavior of _make_access_from_sd on Linux. Currently, _make_access_from_sd assumes that any missing ACE has at least the same permissions as "everyone". However, this fails to capture permission settings such as 007, which is perfectly valid on Linux.
I retract my previous suggestion, based on my experiments with ACEs in Windows. The way that ACE rights combine is surprisingly complex, but one thing that seems to definitely be true is that any user (including a file owner) has at least as much rights as the "everyone" access control entry.
jupyter-fs is built on top of fs.smbfs, and I've been working to make it compatible with Windows. Right now I'm getting an error in my pytest CI on Windows durring
SMBFS._make_access_from_sd
:I know the file that
_make_access_from_sd
is choking on, so I dug in and examined it more deeply using pysmb. The problem appears to be that the "everyone" SID does not correspond to any of the file's ACEs. In fact, of the ACEs that_make_access_from_sd
checks for, in my particular case only the "owner" ACE exists:The text was updated successfully, but these errors were encountered: