[Samba] User can't access a share that he has full control of

Ephi Dror ephi at agami.com
Tue Aug 22 18:43:31 GMT 2006

Hi All,

One more point if I may:

I see that Samba currently consider it as security "problem", not a
security "benefit". 

However, frequently there are sub trees that need to be accessed by a
particular user, and with the current semantics, you need to give more
permissions than you might otherwise need to for the directories above
the sub tree. The whole point of a share (or an NFS export) on a server
is to be a direct point of access to clients.

I didn't see how my change violate any POSIX security. It sounds to me
so logic to give user permissions only from mount/export points and not
for any directory leading to mount point.


-----Original Message-----
From: Ephi Dror 
Sent: Monday, August 21, 2006 12:11 PM
To: samba at lists.samba.org
Cc: 'Jeremy Allison'; 'idra at samba.org'
Subject: Re: [Samba] User can't access a share that he has full control

Hi Simo,

Thank you for your reply.

I actually did a little test in which I have two users U1 and U2.
I have a path \\dir1\dir2 in  which I gave access only to administrator
(whom mapped to 0) to dir1 and I gave U1 full control to dir2. Now I
made a share mapping to \\dir1\dir2.

With SAMBA code "as is" not U1 nor U2 can access the share.

With my little patch as I described before U1 can access the share while
U2 can't which is exactly my expectation.
Also this is how my "windows" customers  can be setup for running home

Our customers are too much "windows" oriented and prefer setting files
securities (Acls) via what they know best which is file properties and
less via smb.conf in which we are the champions...

Also, they told me that they typically creating some kind of an "admin"
share to the root of the file system in which only restricted  users and
group can have access and then they create all their wonderful folders
and stuff in which they use ACLs to manipulate access.
So they create different shares pointing to different paths in the file
system but since the "admin" share that point to the root gave access
only to administrator for example, that's how they run into the problem
with our SAMBA.

So far I can't see it as a problem. 


-----Original Message-----
From: simo [mailto:idra at samba.org]
Sent: Monday, August 21, 2006 11:41 AM
To: Jeremy Allison
Cc: Ephi Dror; samba at lists.samba.org
Subject: Re: [Samba] User can't access a share that he has full control

On Mon, 2006-08-21 at 11:12 -0700, Jeremy Allison wrote:
> > 3. If I do this change for our customers, is there any security 
> > issue here that I haven't thought about?
> Yes, it's a security hole (IMHO). It completely bypasses security for 
> a path. There might be things an attacker could do with this (don't 
> have time right now to think up evil scenarious but I'm sure there are

> some :-).

An easy example is accessing other users home directories where the user
target has a 700 permission on his home directory specifically set to
keep out other users. It is a common scenario on unix environments.


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org

More information about the samba mailing list