"Inherit Permissions" request for comments

David Lee T.D.Lee at durham.ac.uk
Wed May 31 08:53:18 GMT 2000 

On Wed, 31 May 2000, Kyle Herbert wrote:

>    We seem to be shying away from my original purpose in patching the code,
> and getting into implementation specifics.  I'm surprised there hasn't been
> more discussion regarding security and parallelism with NT.

Don't get down-hearted.  All that is happening is that we are exploring
around the area before rushing in.  In my own experience with Samba
development, this apparent delay can appear frustrating, but in the longer
term turns out for the best. 

Indeed, there seems to be consensus of agreement with you that the
principle of inheriting group ownership is a good one.

>    Based on the posts made thus far, I think we're agreeing that as a
> default behavior it is not secure (for example) to inherit the group-owner's
> write attribute without also inheriting the group-owner's GID.  It has been
> pointed out, however, that this can be protected against by using setgid at
> the operating system level or by implementing a new feature in Samba to do
> so explicitly (inherit group owner = yes | no).  I question why the default
> behavior should be something that needs to be protected against!

We have been discussing the possible behaviours: this is different from
discussing defaults.  When these options and their implications have been
thought through, then defaults need to be decided.

So although I put "the case for the defence" (i.e. the current behaviour)
this does not have any implications for the defaults (other than to be
weighed in the balance when those decisions are made).

It is important to distinguish the (earlier) working through of the issues
from the (later) choice of the defaults.

(It so happens that I am beginning to agree with you, in regard to the
default, that the default behaviour should probably be to inherit group
ownership.)

But in reaching any decision, we also need to consider UNIX+setgid
behaviour and ensure that, as far as possible, Samba and UNIX work with
each other, enhancing each other; we need to be careful about introducing
features that might set these in opposition. 

So take heart.  Give the discussion a chance to evolve, and keep
contributing to it.  Your contribution is valuable:  look how much
interest it has sparked, including from Jeremy Allison himself.

>    The default behavior should be designed as securely as possible with
> administrative flexibility available when required :-)  By default,
> therefore, inheriting group-owner permissions implies inheriting group-owner
> GID -- easily implemented inside Samba.

Possibly.  Probably.  But I don't think we're yet at the point of
discussing defaults.  We haven't even tabulated the possible interactions
of the proposed Samba options and the UNIX setgid bits yet.

>    The average Windows NT administrator won't typically know what "setgid"
> bits are, let alone how to set them.  With the group-ownership handled by
> Samba at the application level and not at the operating system level, no
> future NT administrator will have to understand or work with the setgid bit.
> It'll be transparent --- just a right-click on the Samba share or
> sub-directory thereof and a change in the ownership; no logging into the
> Samba server to do a chmod.  (This is futuristically speaking, of course,
> but you can see why I am not a proponent of the operating system based
> solution.)  I also don't relish the task of stripping off the setgid bits
> and doing extra chowns as I administer shares from the Unix side.  There's
> no equivalence for a setgid bit in Windows NT; why should it be required of
> a drop-in Windows NT replacement server?

You put a good case.   But your last sentence needs elaborating.  For many
people, yes, Samba is simply a Windows drop-in replacement.  But for
others it is also the filestore of a combined Windows/UNIX unified service
and the UNIX aspects require consideration in their own right (not just as
a vehicle onto which to map NT concepts).  That is why we are discussing
the subject rather than leaping straight in...

(Even that needs elaborating ... there are different flavours of UNIX, and
even, I believe, some non-UNIX platforms running Samba.)

Hope that helps.  Take heart!

-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/~dcl0tdl            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :

More information about the samba-technical mailing list