FW: patch for safer/saner permissions setting

Cole, Timothy D. timothy_d_cole at md.northgrum.com
Mon Jun 14 21:07:07 GMT 1999 

> David Collier-Brown wrote:
> 
> >         Logically, I can argue that the special bits
> >         should be honored/retained by Samba if the
> >         ordinary create mask allows them, and forced
> >         into place if the force masks sets them.
> > 
> >         That's sufficient, and probably necessary
> >         (in the adademics' sense of "necessary").
> 
> Yeeesssss, sort of, but currently all examples are given
> without including the special bits, with the result
> that Samba never creates files with the group setuid
> bit set (for BSD semantics on directories for example).
> 
	[Cole, Timothy D.]  

	Actually, I just tried that, and at least under HP-UX, stock 2.0.3
does appear to honor the OS's normal semantics wrt creation of files in sgid
directories, even though the create mask would not seem to allow that.

	Although I haven't tracked down the relevent code yet, I suspect it
uses the umask alone to enforce the create mask, and then subsequently just
ORs in the force mode with a stat()/chmod(). (which is IMO the right thing
to do, as it results in the permissions widening instead of narrowing
towards the desired creation permissions, minimizing the possibility for
dangerous security races, as well as honoring the OS's own semantics as
nearly as possible)

	[Cole, Timothy D.]  

> A counter arguement is that if an admin sets up directory
> with the BSD inherit group semantics then, as there is no way
> in the NT permissions dialog to set it then Samba should
> just leave the special bits alone on a security chane SMB.
> 
	[Cole, Timothy D.]

	The best way of looking at it is to consider which of the two
behaviors will cause the least damage.  I believe that the "safest" behavior
is to try as hard as possible to honor the normal behavior of the OS,
enforcing Samba's special restrictions only on specific changes made through
the "user interface" provided through SMB itself, and never discarding any
bits that the OS does not discard.  As for those bits that cannot be
manipulated via the NT permissions dialog, let sleeping bits lie.

	[Cole, Timothy D.]  

> Jeremy.
> 
> -- 
> --------------------------------------------------------
> Buying an operating system without source is like buying
> a self-assembly Space Shuttle with no instructions.
> --------------------------------------------------------

More information about the samba-technical mailing list