[Samba] dos filemode (security concern)

Jeremy Allison jra at samba.org
Fri Feb 29 11:17:54 GMT 2008


On Fri, Feb 29, 2008 at 11:26:48AM +0100, Ralf Gross wrote:
> Ralf Gross schrieb:
> > 
> > I've a question about the 'dos filemode' option (samba 3.0.24, debian etch). I
> > want to use this option to allow group members  with write access to add/change
> > permissions.
> > 
> > man smb.conf:
> > 
> > dos filemode (S)
> > only the owner of a file/directory is able to change the permissions on it.
> > However, this behavior  is  often confusing  to  DOS/Windows users. Enabling
> > this parameter allows a user who has write access to the file (by whatever
> > means) to modify the permissions (including ACL) on it. Note that a user
> > belonging to the group owning the file will not be allowed to change
> > permissions if the group is only granted read access. Ownership of the
> > file/directory may also be changed.
> > 
> > 
> > I am member of the group users, but I've no write access to the directory. So
> > I'd think that I'm not allowed to add users or change permissions. But this is
> > not true here.
> [...]
> 
> This starts to be a real problem here...
> 
> The 'dos filemode' option is not working as described in the man page.
> At least not for me.
> 
> Following the man page, user with write permissions should be abel to
> change permission. But that's not what I observe here.
> 
> - the owning group is always able to change the permissions, even if I
>   remove all permissions for this group (group::---).
> 
> - other users with write access are not allowed to change permissions
>   (either with direct rwx permissions or as member of a group with rwx
>   perms)

The docs are confusing here. For permission control,
the semantics of the "acl group control" are being
replaced by "dos filemode". The docs for "acl group control"
state :

In a POSIX filesystem, only the owner of a file or directory and  the  superuser
can  modify  the  permissions and ACLs on a file. If this parameter is set, then
Samba overrides this restriction, and also allows the primary group owner  of  a
file or directory to modify the permissions and ACLs on that file.

which is what you are seeing.

The internal code is :

static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid)
{
        if ( (errno == EACCES || errno == EPERM)
                && (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn)))
                && current_user_in_group(prim_gid))
        {
                return True;
        }

        return False;
}

What we should do I think is add the text from "acl group control" to
the "dos filemode" text.

Jeremy.


More information about the samba mailing list