[Samba] User can't access a share that he has full control of

Ephi Dror ephi at agami.com
Mon Aug 21 17:14:02 GMT 2006


Hi all,
 
I have noticed that if you create a share to  path lets say
\\dir1\dir2\dir3
And a user lets say u1 has full control on dir3 BUT no control at all on
dir2 then user u1 cannot access the share.
 
Is it right?
 
We have a situation with clients who typically do the following:
Create a share to the root of the file system and  give only to
administrator full control on  for the root path then he creates folders
and apply ACLs to them and then creates shares to map those folders
directly.
Of course, users can access those folders since they don't have search
right on the entire path.
 
Looking at the code reviles that SMB_VFS_STAT is issued with  VUID of
that user and not as root. Meaning that when a new connection is made by
a user and the new process is becoming that VUID and if the uid does not
have search right to all parts of the path, the stat system call will
fail.
 
According to the man page on stat:
"... you do not need any access rights to the file to get information
but you need search rights to all directories named in the path leading
to the file..."
 
Am I missing something here big time?
 
Was it done by purposes?
 
I quickly modified vfs.c and vfs-wraper .c to change to root before stat
or chdir is done and then change back to the original vuid and things
started to work.
Basically, now it works exactly as windows behaving.
 
Meaning a user can access a share that he has rights  to,  even that the
user has no access to all folders leading to that.
 
I also tested the situation on UNIX and emulated the issue in which a
user can do everything going forward from a given directory but of
course can't look or change to directories before.
 
Thanks,
Ephi
 
 


More information about the samba mailing list