[Samba] Samba omitting the user group setting, might be a bug
John Mulligan
phlogistonjohn at asynchrono.us
Mon Feb 19 19:31:06 UTC 2024
On Monday, February 19, 2024 8:16:30 AM EST Marco Gaiarin via samba wrote:
> Mandi! Fyodor Kravchenko via samba
> In chel di` si favelave...
>
> > Thank you, nesting is set to 1. Is there anything else we could check?
>
> AFAIK, no. Next step is use a privileged container, but really in this vase
> better using a VM.
Hi all,
You can run smbd in an unprivileged container given the following condition:
you do not try to read/write xattrs in the `security` namespace.
By default the acl_xattr module uses the `security.NTACL` xattr meaning that
you either need to change how your acls are stored or avoid using acl_xattr
vfs module. You can change where the acl metadata is stored with the
`acl_xattr:security_acl_name` smb.conf option (See: https://www.samba.org/
samba/docs/current/man-html/vfs_acl_xattr.8.html ). Only "root" user (users
with the CAP_SYS_ADMIN capability) can access xattrs in the security
namespace.
Note that doing so has security implications. If you are serving out shares
over other file servers (NFS, for example) or you let untrusted users have
local access to the dirs you are sharing this can weaken Samba's security
model. However, if samba is the only thing providing access to these shares it
may be acceptable to you.
Also note that changing the setting can make samba "overlook" any previously
set `security.NTACL` metadata so changing the setting might make it look like
you suddenly lost all your existing acls.
---
I frequently run unprivileged smbd containers (and winbindd, etc) and aside
from recent issues with samba master branch changes I have not hit any thing
major when I keep the above in mind.
More information about the samba
mailing list