[Samba] Access Problems after Update 4.13.13 to 4.17.10
Achim Gottinger
achim at ag-web.biz
Fri Sep 8 12:59:00 UTC 2023
Am 08.09.2023 um 14:30 schrieb Michael Tokarev:
> 08.09.2023 15:18, Achim Gottinger via samba:
>> 4.17:
>>
>> chdir("/data/data") = 0
>> stat(".", {st_mode=S_IFDIR|0777, st_size=3, ...}) = 0
>> stat("/data/data", {st_mode=S_IFDIR|0777, st_size=3, ...}) = 0
>> openat2(AT_FDCWD, "Neuer Ordner", {flags=O_RDONLY|O_NOFOLLOW|O_PATH|O_DIRECTORY, resolve=RESOLVE_NO_SYMLINKS}, 24) = -1 EPERM (Die Operation ist nicht erlaubt)
> ...
> > Which lead to this bug report
> > https://github.com/containers/crun/issues/545 Fallback from openat2 to openat under systemd-nspawn
>
> Wow. Now that's.. gross..
>
> I wonder why it all Just Works here (be it 4.17 or 4.18), - *all* our
> samba installations are running within nspawn containers without any
> extra permissions.
>
> It seems that currently, this filter is only enabled when
> RestrictSUIDSGID is true. Or maybe I'm wrong.
>
>
> /mjt
Updates systemd-container on the buster host system using the one from buster-backports. (247.3-6~bpo10+1) ... (241-7~deb10u10).
This fixes the error in the container.
But it is using openat and not openat2 now. I do not use extra flags for the container
chdir("/data/data") = 0
stat(".", {st_mode=S_IFDIR|0777, st_size=3, ...}) = 0
stat("/data/data", {st_mode=S_IFDIR|0777, st_size=3, ...}) = 0
gettimeofday({tv_sec=1694177696, tv_usec=614826}, NULL) = 0
getcwd("/data/data", 4096) = 11
openat(AT_FDCWD, ".", O_RDONLY|O_NOFOLLOW|O_PATH) = 31
fstat(31, {st_mode=S_IFDIR|0777, st_size=3, ...}) = 0
gettimeofday({tv_sec=1694177696, tv_usec=616397}, NULL) = 0
openat(31, ".", O_RDONLY|O_NOFOLLOW|O_PATH) = 37
achim~
More information about the samba
mailing list