Security-level permission not working as expected on samba3.5.15

sandeep nag sandeepnagamalli at gmail.com
Mon May 26 12:02:19 MDT 2014 

Thank you, for answering my query. Please find my responses inline below:


On Mon, May 26, 2014 at 11:02 PM, Richard Sharpe <
realrichardsharpe at gmail.com> wrote:

> On Mon, May 26, 2014 at 9:56 AM, sandeep nag <sandeepnagamalli at gmail.com>
> wrote:
> > We use samba 3.5.15 code with acl_xattr module for acl support. Here are
> > the observations I made, when I tried setting share-level, security-level
> > permissions on a samba share:
> >
> >
> > 1. Share-level permissions are working as  expected. i.e in our
> test-case:
> > When read-only share-level permission is set for the user,
> > and when the user tries to create folder/file, it is throwing an error
> > saying permission denied.
>
> What throws an error? The client? Also, we usually say it returns an error
> ...
>
[Sandeep]  DR is returning a 'permission denied' error to the windows
client and this is expected behavior. Bellow 2  are the actal issues seen:
   a. Issue is mentioned in point#3 below.
   b. Issue is mentioned in point#2 below. Unlike as on 2008 windows boxes
windows file-systems, on a mounted DR container, we are able set different
share-level and   file-level permissions. For eg: We are able to set,
read&write for an user on share-level and read-only permission of the same
user in file-permissions.

>
> > 2. On 2008 windows boxes, general behavior on any share folder is: if we
> > set one of the Share or Security-level permission, other would convert to
> > the same. i.e we cannot set one of it to read-only and other to
> read&write
> > permissions.
>
> Can you describe exactly what happens to the underlying file-level
> permissions when you set a share-level permission?
>
[Sandeep] On 2008 windows box, When I set share-level permission on a
shared-folder to read-only, automatically an ACE is getting added to the
file-level ACLs list. Now, If I convert the file-level  ACE to full-control
the the share-level permission is getting converted to read&write
automatically.

>
> Does Windows change the underlying file-level permissions? I hope not.
>
> > 3. Whereas on our samba3.5.15, #2 above is not seen. We are able to set
> > Share-level to read&write and Security-levvel permission to read-only.
> >         And with such kind of settings, it is allowing to create/write a
> > file/directory, though there are no enough security-level permissions.
> > 4. So, the behavior mentioned in #3 above is not following the rule: i.e
> >  ‘The Afffective permission for the user should be the lesser of the two
> > rights(share-level, security-level)’.
> >
> > 5. I have tried debugging the issue by placing break points in
> > smbd_check_access_rights(), se_accesss_right() and has observed that for
> > the test-case:
> >         share-level read&write permission given for 'everyone' and
> > read-only security-level permission given for the share is not working as
> > expected, i.e the user with just read-only security-level permissions
> >         is able to create files and directories in the shared-folder.
>
> This should not happen. That is because Samba should check the the
> share-level permissions before allowing those creates. In particular,
> there were issues when creating files/folders, which only checked the
> permissions on the parent folder and failed to check the share-level
> permissions, I think. There is likely a simple check you can add.
>
> This is likely because of known bugs. Many of these were fixed in
> Samba 3.6.x, so you could look at the Samba 3.6.x code in the same
> area.
>
[Sandeep] Yes, As I mentioned in #1 above, there are no issues with
Share-level permissions. Issue is seen only in file-level permission.
Sure shall I upgrade to 3.6.23 and check the behavior? Is 3.6.23 is good in
3.6 series?

>
> > Please help me in knowing whether I am missing something, or this is the
> > known-issue in smaba 3.5.15?.
>
> As Rowland Penny says, this is no longer the current release of Samba.
> It is way out of date. However, I do know that you do not have the
> flexibility to move to a more recent version.
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>

More information about the samba-technical mailing list