smb2.session.reauth4: UID/GID to use as anonymous user when modifying DACL
sprabhu at redhat.com
sprabhu at redhat.com
Fri Jun 21 10:20:24 UTC 2024
Thanks Metze,
That information will be of great use with updating the new vfs_ceph
module.
Sachin Prabhu
On Mon, 2024-06-17 at 12:30 +0200, Stefan Metzmacher wrote:
> Hi Xavi,
>
> > > > At the same time, I can also see that getuid()/getgid() returns
> > > > 0/0 and
> > > > geteuid()/getegid() also returns 0/0. Does the default plugin
> > > > use
> > > > uid/gid 0/0 while performing this operation?
> > > >
> > > > I have the following questions
> > > > 1) What are we testing for with this smbtorture test?
> > > > 2) Is the anonymous user allowed to modify the DACL of the file
> > > > as done
> > > > in the test? This would obviously lead to access denied errors
> > > > as we
> > > > see currently.
> > >
> > > It checks the reauthentication has no effect on open file handles
> > > only on new file handles. After the SMB2 Create only fsp-
> > > >access_mask
> > > matters for access checking.
> > >
> > > > 3) What uid/gid should be set when performing this action as
> > > > the
> > > > anonymous user?
> > >
> > > Maybe you need to remember the low level token at open time
> > > and use that.
> > >
> >
> > I'm not sure if this will work in all cases. When the acl_xattr vfs
> > module
> > is used, the Windows ACLs are stored in "security.NTACL". To
> > correctly set
> > this xattr, the process needs to become root on a kernel mounted
> > filesystem
> > because the kernel doesn't allow a regular user to modify that
> > xattr, even
> > if the user has permissions to modify the file.
> >
> > If a share uses a vfs module instead of a kernel mount to export
> > the
> > filesystem, and that filesystem also requires root privileges to
> > modify the
> > "security" namespace, then using the cached permissions at the time
> > of
> > opening the file won't be enough.
> >
> > I think that the unix token should be kept consistent with the
> > effective
> > owner of the process at all times to avoid this problem or similar
> > ones.
>
> We have get_current_utok(), which refects become_root().
> Currently that can be used instead of handle->conn->session_info-
> >unix_token.
>
> metze
>
More information about the samba-technical
mailing list