[Samba] dos filemode (security concern)
Ralf-Lists at ralfgross.de
Fri Feb 29 10:26:48 GMT 2008
Ralf Gross schrieb:
> I've a question about the 'dos filemode' option (samba 3.0.24, debian etch). I
> want to use this option to allow group members with write access to add/change
> man smb.conf:
> dos filemode (S)
> only the owner of a file/directory is able to change the permissions on it.
> However, this behavior is often confusing to DOS/Windows users. Enabling
> this parameter allows a user who has write access to the file (by whatever
> means) to modify the permissions (including ACL) on it. Note that a user
> belonging to the group owning the file will not be allowed to change
> permissions if the group is only granted read access. Ownership of the
> file/directory may also be changed.
> I am member of the group users, but I've no write access to the directory. So
> I'd think that I'm not allowed to add users or change permissions. But this is
> not true here.
This starts to be a real problem here...
The 'dos filemode' option is not working as described in the man page.
At least not for me.
Following the man page, user with write permissions should be abel to
change permission. But that's not what I observe here.
- the owning group is always able to change the permissions, even if I
remove all permissions for this group (group::---).
- other users with write access are not allowed to change permissions
(either with direct rwx permissions or as member of a group with rwx
# file: test
# owner: ralfgro
# group: test-admin
-> members of group test-admin can change permission
-> members of group erv can't change permissiones
-> user rg can't change permissions
the config (I'v used different options, but this didn't change the behavoir):
printable = no
comment = Testshare
browseable = no
writable = yes
dos filemode = yes
store dos attributes = yes
ea support = yes
#inherit permissions = yes
inherit acls = Yes
#acl map full control = False
map acl inherit = Yes
map archive = no
map hidden = no
map system = no
map readonly = no
path = /server/projekte/test/testshare
Is anyone successfully using the 'dos filemode' option as documented in the man page?
The goal would be:
A share where members of different groups can set permissions on different directories.
test/ <-- access for all group members of group erv
/A <-- access only for a couple of users, maybe an extra group
/B <-- access for some other users, maybe an extra group
Users that have write access to A should be able to grant other users access.
The same for B.
atm: if directory A is create by user ralfgro, which for example has primay
group erv. He and all members of group erv can change permissions, and there is
no way (from windows) to change the owning group. And even if ralfgro adds an
other group or user with rwx permissions, none of them can change the permissions.
To avoid the problem with the owning group I tried using the gid bit and set
the owing group to an empty group with no members. But still no other user with
rwx access can change permissions.
How do other people solve this problem?
More information about the samba