smbd keeps to change same permission 600 on smbpasswd if download lots of files

Jones jones.kstw at gmail.com
Fri Aug 15 02:53:53 MDT 2014


Hello list,

Found a performance concern if download lots of files from linux box,
with samba-4.0.5 and the 'passwd backend = smbpasswd'.

There are 1000 files in the linux box, each size is 5MB.
If download these files from the linux box to my win7,
smbd is heavily access the file smbpasswd.
If upload these files from my win7 back to the linux box,
smbd does not touch the file smbpasswd at all.

After digging further[1][2][3],
found the smbd keeps to change permission on the smbpasswd to 600,
even though it is already with mode 600,
and this fchmod()/chmod() makes dirty.

static FILE *startsmbfilepwent(const char *pfile, enum pwf_access_type
type, int *lock_depth)
{
...
/* Make sure it is only rw by the owner */
#ifdef HAVE_FCHMOD
if(fchmod(fileno(fp), S_IRUSR|S_IWUSR) == -1) {
#else
if(chmod(pfile, S_IRUSR|S_IWUSR) == -1) {
#endif
...

And the smbpasswd is on ext3 file system,
which with a default option commit=5 (seconds),
so the kjournald is forced to write dirty into backstore every 5 sec,
hmm probably not good because this might impact a bit throughput
if download 1000 files is in progress at the same time.

With premilary test found 3 methods could way around this symptom:
1) Move smbpasswd from ext3 to tmpfs.
   - smb passwd file = /etc/config/smbpasswd
   + smb passwd file = /tmp/smbpasswd
   kjournald is not busy every 5 sec, and save a bit backstore bandwidth
too.
   But smbpasswd might grow if there are many accounts for production usage,
   so probably not a good idea to put it on memory-resident file system.

2) nt acl support = no
   The default on the linux box is yes.
   If set to no,
   looks like not required to generate the SID so smbpasswd is not touched
at all,
   so no busy kjournald too.
   Hmm not sure if this would mess the original behavior on permission
   or acl checking through samba.

3) Patch as attached
   Check the smbpasswd first. if mode is already 600,
   do not call fchmod()/chmod() on smbpasswd,
   so no busy kjournald too.

Question:
Is the fchmod()/chmod() is required, for example to handle security issue,
or there is some background i am not aware?
And does this patch break the security on smbpasswd so probably not
preferred?
Any suggestions are much appreciated,
thanks.


[1] inotify said:
2014-08-15 09:00:12 smbpasswd /etc/config/ OPEN
2014-08-15 09:00:12 smbpasswd /etc/config/ ATTRIB
2014-08-15 09:00:12 smbpasswd /etc/config/ ACCESS
2014-08-15 09:00:12 smbpasswd /etc/config/ CLOSE_NOWRITE,CLOSE
2014-08-15 09:00:12 smbpasswd /etc/config/ OPEN
2014-08-15 09:00:12 smbpasswd /etc/config/ ATTRIB
2014-08-15 09:00:12 smbpasswd /etc/config/ ACCESS
2014-08-15 09:00:12 smbpasswd /etc/config/ CLOSE_NOWRITE,CLOSE
</cut>

[2] loggedfs said:
09:01:51 open /etc/config/smbpasswd {SUCCESS} [ pid = 20063
/usr/local/samba/sbin/smbd uid = 0 ]
09:01:51 chmod /etc/config/smbpasswd to 100600 {SUCCESS} [ pid = 20063
/usr/local/samba/sbin/smbd uid = 0 ]
09:01:51 read 4096 bytes from /etc/config/smbpasswd at offset 0 {SUCCESS} [
pid = 20063 /usr/local/samba/sbin/smbd uid = 0 ]
09:01:51 312 bytes read from /etc/config/smbpasswd at offset 0 {SUCCESS} [
pid = 20063 /usr/local/samba/sbin/smbd uid = 0 ]
09:01:51 open /etc/config/smbpasswd {SUCCESS} [ pid = 20063
/usr/local/samba/sbin/smbd uid = 0 ]
09:01:51 chmod /etc/config/smbpasswd to 100600 {SUCCESS} [ pid = 20063
/usr/local/samba/sbin/smbd uid = 0 ]
09:01:51 read 4096 bytes from /etc/config/smbpasswd at offset 0 {SUCCESS} [
pid = 20063 /usr/local/samba/sbin/smbd uid = 0 ]
09:01:51 312 bytes read from /etc/config/smbpasswd at offset 0 {SUCCESS} [
pid = 20063 /usr/local/samba/sbin/smbd uid = 0 ]
</cut>

[3] gdb said:
Breakpoint 1, 0xf7645d00 in fchmod () from /lib/libc.so.6
#0  0xf7645d00 in fchmod () from /lib/libc.so.6
#1  0xf7a228c4 in startsmbfilepwent (pfile=0x805f510
"/etc/config/smbpasswd", type=PWF_READ, lock_depth=0x805f398) at
../source3/passdb/pdb_smbpasswd.c:340
#2  0xf7a23e94 in smbpasswd_getsampwnam (my_methods=0x805f270,
sam_acct=0x8110db0, username=0x8070aa0 "admin") at
../source3/passdb/pdb_smbpasswd.c:1314
#3  0xf7a162c8 in pdb_default_uid_to_sid (methods=0x805f270, uid=0,
sid=0xffffca7c) at ../source3/passdb/pdb_interface.c:1386
#4  0xf7a18222 in pdb_uid_to_sid (uid=0, sid=0xffffca7c) at
../source3/passdb/pdb_interface.c:1208
#5  0xf7a0fcbf in legacy_uid_to_sid (psid=0xffffca7c, uid=0) at
../source3/passdb/lookup_sid.c:1045
#6  0xf7a0fded in uid_to_sid (psid=0xffffca7c, uid=0) at
../source3/passdb/lookup_sid.c:1179
#7  0xf7d85dac in create_file_sids (psbuf=0xffffcb3c,
powner_sid=0xffffca7c, pgroup_sid=0xffffca38) at
../source3/smbd/posix_acls.c:917
#8  0xf7d8e78b in posix_get_nt_acl_common (conn=0x8075b18, name=0x810ccd8
"folder/file.extention", sbuf=0xffffcb3c, pal=0x0, posix_acl=0x0,
def_acl=0x0, security_
info=32, mem_ctx=0x810eda8, ppdesc=0xffffcc58) at
../source3/smbd/posix_acls.c:3331
#9  0xf7d8fa9b in posix_fget_nt_acl (fsp=0x810c818, security_info=32,
mem_ctx=0x810eda8, ppdesc=0xffffcc58) at ../source3/smbd/posix_acls.c:3576
#10 0xf7e7f9a1 in vfswrap_fget_nt_acl (handle=0x80749a0, fsp=0x810c818,
security_info=32, mem_ctx=0x810eda8, ppdesc=0xffffcc58) at
../source3/modules/vfs_default.c:2691
#11 0xf7d7faa7 in smb_vfs_call_fget_nt_acl (handle=0x80749a0,
fsp=0x810c818, security_info=32, mem_ctx=0x810eda8, ppdesc=0xffffcc58) at
../source3/smbd/vfs.c:2306
#12 0xf7d333f1 in smbd_do_query_security_desc (conn=0x8075b18,
mem_ctx=0x810d8c0, fsp=0x810c818, security_info_wanted=32,
max_data_count=16384, ppmarshalled_sd=0xffffcde0, psd_size=0xffffcd
dc) at ../source3/smbd/nttrans.c:1956
#13 0xf7dc2bf9 in smbd_smb2_getinfo_send (in_flags=<optimized out>,
in_additional_information=<optimized out>, in_input_buffer=...,
in_output_buffer_length=<optimized out>, in_file_info_cla
ss=<optimized out>, in_info_type=<optimized out>, fsp=<optimized out>,
smb2req=<optimized out>, ev=<optimized out>, mem_ctx=<optimized out>) at
../source3/smbd/smb2_getinfo.c:445
#14 smbd_smb2_request_process_getinfo (req=0x810cd70) at
../source3/smbd/smb2_getinfo.c:119
#15 0xf7daf530 in smbd_smb2_request_dispatch (req=0x810cd70) at
../source3/smbd/smb2_server.c:2279
#16 0xf7db0966 in smbd_smb2_request_dispatch_immediate (ctx=0x805a230,
im=0x810d7f0, private_data=0x810cd70) at ../source3/smbd/smb2_server.c:2624
#17 0xf7ae3c68 in tevent_common_loop_immediate (ev=0x805a230) at
../lib/tevent/tevent_immediate.c:135
#18 0xf7aac0f0 in run_events_poll (ev=0x805a230, pollrtn=0, pfds=0x0,
num_pfds=0) at ../source3/lib/events.c:191
#19 0xf7aac725 in s3_event_loop_once (ev=0x805a230, location=0xf7f0400c
"../source3/smbd/process.c:3647") at ../source3/lib/events.c:303
#20 0xf7ae2fb6 in _tevent_loop_once (ev=0x805a230, location=0xf7f0400c
"../source3/smbd/process.c:3647") at ../lib/tevent/tevent.c:542
#21 0xf7d95e6b in smbd_process (ev_ctx=0x805a230, msg_ctx=0x805a2b0,
sock_fd=29, interactive=true) at ../source3/smbd/process.c:3647
#22 0x0805114c in smbd_accept_connection (ev=0x805a230, fde=0x80673e8,
flags=1, private_data=0x8069110) at ../source3/smbd/server.c:721
#23 0xf7aac342 in run_events_poll (ev=0x805a230, pollrtn=1, pfds=0x8064da0,
num_pfds=4) at ../source3/lib/events.c:257
#24 0xf7aac7e4 in s3_event_loop_once (ev=0x805a230, location=0x8055ef2
"../source3/smbd/server.c:1109") at ../source3/lib/events.c:326
#25 0xf7ae2fb6 in _tevent_loop_once (ev=0x805a230, location=0x8055ef2
"../source3/smbd/server.c:1109") at ../lib/tevent/tevent.c:542
#26 0x0805329b in smbd_parent_loop (parent=<optimized out>,
ev_ctx=<optimized out>) at ../source3/smbd/server.c:1109
#27 main (argc=1244572, argv=0xffffda14) at ../source3/smbd/server.c:1750

--
Regards,
Jones
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20140815.patch
Type: application/octet-stream
Size: 1302 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140815/7a21f72c/attachment.obj>


More information about the samba-technical mailing list