[Samba] Share Permissions vs. Security

[Andrew Walker]

On Sun, Feb 7, 2021 at 1:52 PM Stefan Kania via samba <samba at lists.samba.org>
wrote:

> The shared-permission is only interesting when accessing the filesystem
> via the network. Let's say you give "Full Access" on a folder inside
> your share. The shared-permission is set to "everyone full" so if
> someone locks in at the system only the filessystem permission is
> checked. The shared-permission is used. If someone access the same
> folder via the network, first the shared-permission is checked. It's set
> to "everyone full" so no restriction and the user will get "full Access"
> via the filesystem permission. Now change the shared-permission to
> "readonly". Still the user logged in locally will get full access. BUT
> now: When a user access the share the maximum permission he can get is
> read, ever other permission is filtered. So the setting of the
> shared-permission is always the maximum permission via the network.
>
> The other way around shared-permission is set to "everyone full" and
> filesystem permission is set to "read" a user accessing via network will
> get no more then "read" permission.
>
> So shared-permission can only remove permissions nEVER gives permission.
> It's a little bit like the "mask" in Filesystem ACLs.


The share permissions settings are useful if for some reason you are
sharing a filesystem that lacks permissions. In the modern world I'm not
sure of a case where this is a good idea, but sharing FAT filesystems used
to be a thing. I have seen some users make heavy use of the parameter
"access based share enumeration" to limit shares that are visible to users
(on servers that may have large numbers of shares).