Dynamic groups (was Samba and groups > 16)

Edgar, Bob Bob.Edgar at commerzbankib.com
Tue Mar 8 13:03:34 GMT 2005 

Forgive my naivety but what is wrong with the following:

try to open/create the file/directory
if EACCESS {
	foreach group in longlist {
		addgroup to groups list
		try to open/create the file/directory
		if success break
	}
	if failure return EACCESS
}

The OS is responsible for the permission checking as always,
the typical case has no additional overhead, and if the groups
list isn't stupidly long the extra time is minimal. The only
thing I'm not sure about is whether to restore the original
group to the end of the list or not. I would tend to think
not.

Sun _should_ fix the problem but since it's been around for a long
time and is broken in lots of places I suspect there's a good
reason so I'm not optimistic.

bob
		

-----Original Message-----
From:
samba-technical-bounces+bob.edgar=commerzbankib.com at lists.samba.org
[mailto:samba-technical-bounces+bob.edgar=commerzbankib.com at lists.samba.
org]On Behalf Of Volker Lendecke
Sent: Dienstag, 8. März 2005 08:40
To: David Collier-Brown
Cc: samba-technical at lists.samba.org
Subject: Re: Dynamic groups (was Samba and groups > 16)


On Mon, Mar 07, 2005 at 12:54:55PM -0500, David Collier-Brown wrote:
> I try to read /tmp/foo via samba, but the open fails with EACCES.
> A stat of the file returns
> -rw-r--r--   1 n1sps    n1sps          0 Mar  7 12:45 /tmp/foo
> 
> Samba looks in my long list of (AD) groups, finds n1sps, sees
> it is NOT in my active groups list and substitutes it for pwrtl.
> 
> It then retries, and if it's a read request succeeds. If it's
> a write request it gets EACCESS again, but this time I'm already
> in the right group, so samba returns -1, errno=EACCESS.

Fine. This might work in the simple case without ACLs.  Or worse: You're
currently not in group n1sps, but the mode is 707.  According to AD you
should
be denied access as AD says you're in group n1sps, but you are granted
access
now, as the mask for "others" applies. Ouch. So it ends up as a complete
user-space implementation of access controls which is racy at best. With
Posix
ACLs which are necessary in all but the simplest environments this only gets
worse. It's not only a stat() call per file system access but a complete
reading of the ACL.

Sorry, but jerry is right: Fix your OS. 

> 	Which means that only Linux can be used for large sites!
> 	Which is cool for Linuxians, but a bummer for anyone using
> 	BSD!

No, this is *not* limited to Linux. This is limited to all operating systems
that have removed this silly and unnecessary limit.

Volker

More information about the samba-technical mailing list