chmod(2) and utime(2) Problems

B.V.Dean B.V.Dean at ukc.ac.uk
Wed Aug 23 10:38:20 GMT 2000


I am having a problem with my samba config on my web server related to
file permissions.
The problem seems quite subtle!

The samba config file contains (Samba 2.0.7):

----cut here
[global]
        workgroup = UKC
        server string = University Web Server
        security = domain
        encrypt passwords = Yes
        password server = KNOLE CORFE
        log file = /var/adm/log/samba.log
        max log size = 5000
        deadtime = 30
        fake directory create times = yes
        follow symlinks = yes
        wide links = no
        dns proxy = No
        wins server = 129.12.1.15
        hosts allow = 129.12.
        create mask = 0112
        force directory mode = 0775
		# Allow NT to change mode bits even if it does not own the file?
        directory security mask = 0777
        security mask = 0777
        force directory security mode = 0000
        force security mode = 0000            
        inherit permissions = Yes
        volume = %S
        writeable = Yes
        path = /www/shared/%S
[help]
        comment = Help on using this server
        path = /www/help
        browsable = yes
        guest ok = yes
        volume = Help
        writeable = no
[wwwlocal]
        comment = Local Intranet Web Content
[wwwroot]
        comment = Internet Web Content 
[wwwsu]
        comment = Student Union Web Content
[wwwtest]
        comment = Test Area for Web Authors
----cut here

In the shares there are directories mode 2755 owner root, group variable
depending on authors for the content.

eg:

	drwxrwsr-x  10 root     wwwukc      3072 Aug 18 16:07 ukc

In this directory there are files with various owners mode 664 group wwwukc.

When user fred tries to drag-n-drop an updated file into ukc, it only works if
the owner is fred. If the owner is barney, the drag-n-drog (windows explorer)
fails with "Access Denied: The Source file may be in use"!

This problem first surfaced when users of Dreamweaver 3 tried to syncronise
their off line content with the on-line content. Dreamweaver also reports
"Access Denied", but curiously does update the contents of the remote file.

Image we are fred, writing to a file owned by barney ...
Using truss we see that Dreamweaver does the following:

Truncate the file to 0 bytes: Allowed because we have group read
chmod the file to mode 0764: Fails - we are not the owner or root
utime to change modtime: Fails - we are not the owner or root

This is a problem, as we have multiple authors in groups with shared
responsibility for content. They have to be able to update each other's files.

If you do the following:

Delete target file: Allowed as we have group write acccess
Copy new file: Allowed as we can write new files (group write access)
Change modes/times: Allowed as we now own the file.

It all works, because the new file belongs to you, irrespective of who owned it
before.


The only way we can see round this, is to use "force user", which allows all 
access to files to anyone! Not helpful :-)

Has anyone any ideas?

If only chmod(2) and utime(2) were less secure :-)

SAMBA needs to implement the "Allow DOS archive but and access times to be
modified so long as I have write access, even if it is not my file" semantics.




Barry Dean
Senior Computing Officer
http://www.ukc.ac.uk/php/bvd/






More information about the samba mailing list