chmod(2) and utime(2) Problems
B.V.Dean
B.V.Dean at ukc.ac.uk
Wed Aug 23 10:38:20 GMT 2000
I am having a problem with my samba config on my web server related to
file permissions.
The problem seems quite subtle!
The samba config file contains (Samba 2.0.7):
----cut here
[global]
workgroup = UKC
server string = University Web Server
security = domain
encrypt passwords = Yes
password server = KNOLE CORFE
log file = /var/adm/log/samba.log
max log size = 5000
deadtime = 30
fake directory create times = yes
follow symlinks = yes
wide links = no
dns proxy = No
wins server = 129.12.1.15
hosts allow = 129.12.
create mask = 0112
force directory mode = 0775
# Allow NT to change mode bits even if it does not own the file?
directory security mask = 0777
security mask = 0777
force directory security mode = 0000
force security mode = 0000
inherit permissions = Yes
volume = %S
writeable = Yes
path = /www/shared/%S
[help]
comment = Help on using this server
path = /www/help
browsable = yes
guest ok = yes
volume = Help
writeable = no
[wwwlocal]
comment = Local Intranet Web Content
[wwwroot]
comment = Internet Web Content
[wwwsu]
comment = Student Union Web Content
[wwwtest]
comment = Test Area for Web Authors
----cut here
In the shares there are directories mode 2755 owner root, group variable
depending on authors for the content.
eg:
drwxrwsr-x 10 root wwwukc 3072 Aug 18 16:07 ukc
In this directory there are files with various owners mode 664 group wwwukc.
When user fred tries to drag-n-drop an updated file into ukc, it only works if
the owner is fred. If the owner is barney, the drag-n-drog (windows explorer)
fails with "Access Denied: The Source file may be in use"!
This problem first surfaced when users of Dreamweaver 3 tried to syncronise
their off line content with the on-line content. Dreamweaver also reports
"Access Denied", but curiously does update the contents of the remote file.
Image we are fred, writing to a file owned by barney ...
Using truss we see that Dreamweaver does the following:
Truncate the file to 0 bytes: Allowed because we have group read
chmod the file to mode 0764: Fails - we are not the owner or root
utime to change modtime: Fails - we are not the owner or root
This is a problem, as we have multiple authors in groups with shared
responsibility for content. They have to be able to update each other's files.
If you do the following:
Delete target file: Allowed as we have group write acccess
Copy new file: Allowed as we can write new files (group write access)
Change modes/times: Allowed as we now own the file.
It all works, because the new file belongs to you, irrespective of who owned it
before.
The only way we can see round this, is to use "force user", which allows all
access to files to anyone! Not helpful :-)
Has anyone any ideas?
If only chmod(2) and utime(2) were less secure :-)
SAMBA needs to implement the "Allow DOS archive but and access times to be
modified so long as I have write access, even if it is not my file" semantics.
Barry Dean
Senior Computing Officer
http://www.ukc.ac.uk/php/bvd/
More information about the samba
mailing list