permissions on samba share

simo idra at samba.org
Fri Jul 20 13:52:46 MDT 2012 

On Fri, 2012-07-20 at 12:38 -0700, Todd Brunhoff wrote: 
> On 07/20/2012 12:20 PM, simo wrote:
> > On Fri, 2012-07-20 at 11:31 -0700, Todd Brunhoff wrote:
> >> To answer my own question... it was selinux. Turn it off and everything
> >> works.
> >>
> >> On 07/19/2012 01:58 PM, Todd Brunhoff wrote:
> >>
> >>> After reinstalling fedora 16 from scratch, I cannot get samba to work
> >>> correctly. I can log in successfully with smbclient and I can map a
> >>> network drive, but then I cannot get access to my login directory.
> > Have you read the sample confg file where there is a whole section that
> > gives you commands to run and booleans to turn in an howto fashion ?
> >
> > Don;t simple turn things off, SeLinux is there to help you.
> >
> > Simo.
> I did read the sample smb.conf, and several others, and I didn't see 
> anything relevant. Nor did I find anything in the smb.conf man page. Nor 
> did I find anything in the source rpm that appeared to have an effect. 

This is the default smb.conf in fedora 16:
http://pkgs.fedoraproject.org/gitweb/?p=samba.git;a=blob;f=smb.conf.default;h=fe0d921e37c2c1c11c7b24fdad59fd46d149b9bb;hb=aa2fcfacca1a5a0c80edaee5363c981b1e30c14f

Start stalking about SeLinux at line 20 ... not sure how I can make it
more evident.

> And after turning on debug level 10 and running strace on smbd, I found 
> that it was an openat() call that failed with permission denied. Based 
> on failure with selinux enabled and success without, it appears that 
> selinux will deny access when real uid/gid does not match effective 
> uid/gid. I would guess that I could turn off a certain policy in 
> selinux, but given that I am behind a firewall, I see no point in 
> wrestling with that.

No, SeLinux doesn't care about uids or gids, SELinux is a Mandatory
Access Control system and bases it's decisions on labels.

A very simple explanation is the following:
- Each process is assigned a label, daemons in particular have specific
labels that disnguish them from any other kind.
- Each label is associated with a set of policies that determine which
objects the process can access.
- Each object (generally files on the file system) have associated a
label which is used by the policy to decide if a process can have access
to them.

Now by default samba has a pretty strict security policy, that's to
avoid mistakenly exposing information given samba is a network file
server.
However it is very simple to open-up permissions.
For things like home directories on which yuo *do not want* to change
the labels there is a seboolean that will tel the policy to let samba
access files in home directories.

For random directories instead you can change the labels on files (you
need to do it once, all new files in the directory properly labeled
inherit the right labels).

> I do find it interesting that you imply certain booleans in smb.conf 
> might be the answer, but you did not suggest any that might be applicable.

Read the file I linked above, it explains it all.

> If my theory about selinux and real/effective uid/gid mismatch is right, 
> then perhaps the samba implementation should be calling setreuid() and 
> setregid().

Your theory is absolutely wrong :)

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list