Fix for Samba server masking world writeable perm off
Alexander Bokovoy
ab at samba.org
Tue Feb 26 16:11:20 UTC 2019
On ti, 26 helmi 2019, Jeremy Allison via samba-technical wrote:
> On Tue, Feb 26, 2019 at 12:20:20AM -0600, Steve French wrote:
> > Very strange - I noticed that using jra's experimental POSIX code, the
> > Samba server would always mask off the world writeable flag ie 0777
> > would become 0775 permissions. No matter what the masks were in
> > smb.conf.
> >
> > Turned out to be simple but strange:
> >
> > Removing the
> > "obey pam restrictions"
> > line from smb.conf (which seems to be set by default in some distros)
> > fixed the problem. Now a SMB3.1.1 POSIX mkdir ends up with 0777 mode
> > after a mkdir -m 0777 ...
> >
> > I am quite surprised that this parm does anything related to the mode
> > bits, and would not have thought of it, but noticed it when googling
> > for these particular permissions .... (it hit on this post from a year
> > ago where a user hit the same problem with permissions being masked
> > this way and Samba server:
> > https://askubuntu.com/questions/210808/set-umask-set-permissions-and-set-acl-but-samba-isnt-using-those)
> > .
> >
> > Any idea why "obey pam restrictions" would cause Samba to mask mode bits?
>
> That is utterly insane.
>
> ~/src/samba/git/smb2-posix$ git grep lp_obey_pam
> source3/auth/pampass.c: if (!lp_obey_pam_restrictions())
> source3/auth/pampass.c: if (!lp_obey_pam_restrictions())
> source3/auth/pampass.c: if (!lp_obey_pam_restrictions())
>
> Is it possible some of the pam calls are setting a
> umask internally ?
Yes, most likely session phase is setting them -- either in pam_limits
or in pam_systemd.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list