Security-level permission not working as expected on samba3.5.15

sandeep nag sandeepnagamalli at
Mon May 26 10:56:21 MDT 2014

We use samba 3.5.15 code with acl_xattr module for acl support. Here are
the observations I made, when I tried setting share-level, security-level
permissions on a samba share:

1. Share-level permissions are working as  expected. i.e in our test-case:
When read-only share-level permission is set for the user,
and when the user tries to create folder/file, it is throwing an error
saying permission denied.
2. On 2008 windows boxes, general behavior on any share folder is: if we
set one of the Share or Security-level permission, other would convert to
the same. i.e we cannot set one of it to read-only and other to read&write
3. Whereas on our samba3.5.15, #3 above is not seen. We are able to set
Share-level to read&write and Security-levvel permission to read-only.
        And with such kind of settings, it is allowing to create/write a
file/directory, though there are no enough security-level permissions.
4. So, the behavior mentioned in #4 above is not following the rule: i.e
 ‘The Afffective permission for the user should be the lesser of the two
rights(share-level, security-level)’.

5. I have tried debugging the issue by placing break points in
smbd_check_access_rights(), se_accesss_right() and has observed that for
the test-case:
        share-level read&write permission given for 'everyone' and
read-only security-level permission given for the share is not working as
expected, i.e the user with just read-only security-level permissions
        is able to create files and directories in the shared-folder.

Please help me in knowing whether I am missing something, or this is the
known-issue in smaba 3.5.15?.


More information about the samba-technical mailing list