"Inherit Permissions" request for comments

Tue May 30 11:52:51 GMT 2000

On Mon, 29 May 2000, David Collier-Brown wrote:

> Kyle Herbert wrote:
> > My premise is simple:  to inherit group permissions for a new file or
> > sub-directory from the parent directory without also inheriting the group
> > ownership of the new file or sub-directory from the parent directory is an
> > exploitable flaw in security.  (i.e.  Inheriting the write attribute for the
> > group-owner looses its meaning when the group-owner is altered.)
> > 
> > The current implementation of the "inherit permissions" feature in Samba
> > 2.0.7 is 'flawed' (or 'featured' depending upon your point of view ;-) in
> > this way.  I devised the attached patch to correct this in hopes that in
> > some form it would be included in the next Samba release.
> 
> 	This seems sane, and hopefully will reduce the effective
> 	complexity of the various create mask options...

... except that "inherit permissions" already overrides all the "create
mask" options, even those called "force ...".  Thus all that complexity is
not only reduced, it is removed when "inherit ..." is the determinant. 

In another message, just posted, I suggest a new:
  inherit group owner = { yes | no }

which allows the functionality to work either way.  Indeed, in the absence
of "inherit permissions" it also allows UNIX/setgid to be simulated, which
can be regarded as a different flavour of "force group".

> > I'd like to hear other people's opinions.  Rather than patching Samba,
> > closing this security hole can be achieved by requiring the sysadmin to use
> > setgid on the share directory at the operating system level.  This
> > requirement, however, can only be enforced via documentation,
> 
> 	We've simulated Unix features before (indeed, with the
> 	create masks), so this is a credible direction.
> 
> 	In addition, I'll propose that merely mapping an existing
> 	Unix feature to Samba is inherently a better idea than
> 	inventing a new one.

... hence the suggested "inherit group owner" above.

I know nothing about NT permissions.  But I gather (am I correct?) that
NT's natural behaviour is similar to UNIX+setgid.  We'd need to consider
the similarities and any differences in any implementation in Samba.

Hope that helps.

-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/~dcl0tdl            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :