[Samba] dos filemode (security concern)

Ralf Gross Ralf-Lists at ralfgross.de
Fri Feb 29 11:34:10 GMT 2008 

Jeremy Allison schrieb:
> On Fri, Feb 29, 2008 at 11:26:48AM +0100, Ralf Gross wrote:
> > Ralf Gross schrieb:
> > > 
> > > I've a question about the 'dos filemode' option (samba 3.0.24, debian etch). I
> > > want to use this option to allow group members  with write access to add/change
> > > permissions.
> > > 
> > > man smb.conf:
> > > 
> > > dos filemode (S)
> > > only the owner of a file/directory is able to change the permissions on it.
> > > However, this behavior  is  often confusing  to  DOS/Windows users. Enabling
> > > this parameter allows a user who has write access to the file (by whatever
> > > means) to modify the permissions (including ACL) on it. Note that a user
> > > belonging to the group owning the file will not be allowed to change
> > > permissions if the group is only granted read access. Ownership of the
> > > file/directory may also be changed.
> > > 
> > > 
> > > I am member of the group users, but I've no write access to the directory. So
> > > I'd think that I'm not allowed to add users or change permissions. But this is
> > > not true here.
> > [...]
> > 
> > This starts to be a real problem here...
> > 
> > The 'dos filemode' option is not working as described in the man page.
> > At least not for me.
> > 
> > Following the man page, user with write permissions should be abel to
> > change permission. But that's not what I observe here.
> > 
> > - the owning group is always able to change the permissions, even if I
> >   remove all permissions for this group (group::---).
> > 
> > - other users with write access are not allowed to change permissions
> >   (either with direct rwx permissions or as member of a group with rwx
> >   perms)
> 
> The docs are confusing here. For permission control,
> the semantics of the "acl group control" are being
> replaced by "dos filemode". The docs for "acl group control"
> state :
> 
> In a POSIX filesystem, only the owner of a file or directory and  the  superuser
> can  modify  the  permissions and ACLs on a file. If this parameter is set, then
> Samba overrides this restriction, and also allows the primary group owner  of  a
> file or directory to modify the permissions and ACLs on that file.
>
> which is what you are seeing.
> 
> The internal code is :
> [snip]
> What we should do I think is add the text from "acl group control" to
> the "dos filemode" text.

Thanks, for your response. Btw, there is also an open bug report about
this: https://bugzilla.samba.org/show_bug.cgi?id=5255

So the behavior of the 'dos filemode' option and the 'acl group
control' are mixed at the moment?

I think the description of the 'dos filemode' option in the man page
is completely wrong...

dos filemode (S)

    The default behavior in Samba is to provide UNIX-like behavior
    where only the owner of a file/directory is able to change the
    permissions on it. However, this behavior is often confusing to
    DOS/Windows users. Enabling this parameter allows a user who has
    write access to the file (by whatever means) to modify the
    permissions (including ACL) on it. Note that a user belonging to
    the group owning the file will not be allowed to change
    permissions if the group is only granted read access. Ownership of
    the file/directory may also be changed.


...because the owing group is always able to change permissions,
regardless if it has write access to a file or not. And other users
never get the right to change permissions, even if they have write
access.

Ralf

More information about the samba mailing list