[Samba] dos filemode (security concern)

Ralf Gross Ralf-Lists at ralfgross.de
Mon Feb 11 12:01:39 GMT 2008 

Hi,

I've a question about the 'dos filemode' option (samba 3.0.24, debian etch). I
want to use this option to allow group members  with write access to add/change
permissions.

man smb.conf:

dos filemode (S)
only the owner of a file/directory is able to change the permissions on it.
However, this behavior  is  often confusing  to  DOS/Windows users. Enabling
this parameter allows a user who has write access to the file (by whatever
means) to modify the permissions (including ACL) on it. Note that a user
belonging to the group owning the file will not be allowed to change
permissions if the group is only granted read access. Ownership of the
file/directory may also be changed.


I am member of the group users, but I've no write access to the directory. So
I'd think that I'm not allowed to add users or change permissions. But this is
not true here.


[testshare]
        printable = no
        comment = Testshare
        browseable = no
        writable = yes
        map archive = no
        map hidden = no
        map system = no
        map readonly = no
        dos filemode = yes
        store dos attributes = yes
        ea support = yes
        inherit permissions = yes
        inherit acls = Yes
        map acl inherit = Yes
        path = /test/testshare


Now inside a directory of this share:

# ls -la
drwxr-s---+ 5 mh users   61 2008-02-08 16:08 .
drwxrwx---+ 6 jm jm      65 2008-02-11 11:20 ..
drwxr-s---+ 2 mh users    6 2008-02-08 16:08 test



# getfacl .

# file: .
# owner: mh
# group: users
user::rwx
group::---
group:users:r-x
mask::r-x
other::---


# getfacl test/

# file: test
# owner: mh
# group: users
user::rwx
group::r-x
group:users:r-x
mask::r-x
other::---

Now as a user that has read access (r-x) to the both directories (group users)
I'm able to add permissions for the user al from windows explorer to the test
directory.

# getfacl test/

# file: test
# owner: mh
# group: users
user::rwx
user:al:r-x    <----- added user
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:al:r-x   <---- added user
default:group::---
default:mask::rwx
default:other::---


Now how is this possible? I thought the 'dos filemode' option would only work
if a member of the group users has write access to a file.

If I set 'dos filemode = no' I'm not able to add or change permissions.

Ralf

More information about the samba mailing list