[Samba] samba says "you have right" but I must not have right (Important - SECURITY ISSUE)

Andrew Bartlett abartlet at samba.org
Fri Jan 9 21:45:16 GMT 2004


On Fri, Jan 09, 2004 at 02:25:08PM +0100, stephane.purnelle at corman.be wrote:
> My Samba 3.0.1 is configured with LDAP SAM and ACL on XFS filesystem.
> 
> For a test, I added my user to the group "cadres". This group is in ACL
> definition of my directory.
> 
> # file: Projets
> # owner: root
> # group: root
> user::rwx
> user:asi:rwx
> group::rwx
> group:administrateurs
> group:cdir:r-x
> group:jardin:r-x
> group:cadres:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:asi:rwx
> default:group::rwx
> default:group:adminis
> default:mask::rwx
> default:other::---
> 
> In my explorer, the directory Projets appear, the directory is available.
> After, I modifed my group "cadres" and I supress my account from group.
> 
> since more than 1 hour, I can see and acces to directory but in unix
> console I cannot and I must don't access to this directory.
> The only possibility than I have is : "killing my connection with SWAT"
> 
> 
> I looking the source and I think that is the NT_USER_TOKEN information is
> not updated after connection or if these informations is updated not
> correctly.
> I propose that samba refresh correcly these information every five minutes
> or a parameter REFRECH_USRE_INFO in smb.conf.

You will find that all Unix, NT and Win2k systems function in this way.  A
user's group permissions last until they logout.

Andrew Bartlett


More information about the samba mailing list