Security-level permission not working as expected on samba3.5.15

Richard Sharpe realrichardsharpe at
Mon May 26 11:32:07 MDT 2014

On Mon, May 26, 2014 at 9:56 AM, sandeep nag <sandeepnagamalli at> wrote:
> We use samba 3.5.15 code with acl_xattr module for acl support. Here are
> the observations I made, when I tried setting share-level, security-level
> permissions on a samba share:
> 1. Share-level permissions are working as  expected. i.e in our test-case:
> When read-only share-level permission is set for the user,
> and when the user tries to create folder/file, it is throwing an error
> saying permission denied.

What throws an error? The client? Also, we usually say it returns an error ...

> 2. On 2008 windows boxes, general behavior on any share folder is: if we
> set one of the Share or Security-level permission, other would convert to
> the same. i.e we cannot set one of it to read-only and other to read&write
> permissions.

Can you describe exactly what happens to the underlying file-level
permissions when you set a share-level permission?

Does Windows change the underlying file-level permissions? I hope not.

> 3. Whereas on our samba3.5.15, #3 above is not seen. We are able to set
> Share-level to read&write and Security-levvel permission to read-only.
>         And with such kind of settings, it is allowing to create/write a
> file/directory, though there are no enough security-level permissions.
> 4. So, the behavior mentioned in #4 above is not following the rule: i.e
>  ‘The Afffective permission for the user should be the lesser of the two
> rights(share-level, security-level)’.
> 5. I have tried debugging the issue by placing break points in
> smbd_check_access_rights(), se_accesss_right() and has observed that for
> the test-case:
>         share-level read&write permission given for 'everyone' and
> read-only security-level permission given for the share is not working as
> expected, i.e the user with just read-only security-level permissions
>         is able to create files and directories in the shared-folder.

This should not happen. That is because Samba should check the the
share-level permissions before allowing those creates. In particular,
there were issues when creating files/folders, which only checked the
permissions on the parent folder and failed to check the share-level
permissions, I think. There is likely a simple check you can add.

This is likely because of known bugs. Many of these were fixed in
Samba 3.6.x, so you could look at the Samba 3.6.x code in the same

> Please help me in knowing whether I am missing something, or this is the
> known-issue in smaba 3.5.15?.

As Rowland Penny says, this is no longer the current release of Samba.
It is way out of date. However, I do know that you do not have the
flexibility to move to a more recent version.

Richard Sharpe

More information about the samba-technical mailing list