[Samba] dos filemode (security concern)
Jeremy Allison
jra at samba.org
Fri Feb 29 11:17:54 GMT 2008
On Fri, Feb 29, 2008 at 11:26:48AM +0100, Ralf Gross wrote:
> Ralf Gross schrieb:
> >
> > I've a question about the 'dos filemode' option (samba 3.0.24, debian etch). I
> > want to use this option to allow group members with write access to add/change
> > permissions.
> >
> > man smb.conf:
> >
> > dos filemode (S)
> > only the owner of a file/directory is able to change the permissions on it.
> > However, this behavior is often confusing to DOS/Windows users. Enabling
> > this parameter allows a user who has write access to the file (by whatever
> > means) to modify the permissions (including ACL) on it. Note that a user
> > belonging to the group owning the file will not be allowed to change
> > permissions if the group is only granted read access. Ownership of the
> > file/directory may also be changed.
> >
> >
> > I am member of the group users, but I've no write access to the directory. So
> > I'd think that I'm not allowed to add users or change permissions. But this is
> > not true here.
> [...]
>
> This starts to be a real problem here...
>
> The 'dos filemode' option is not working as described in the man page.
> At least not for me.
>
> Following the man page, user with write permissions should be abel to
> change permission. But that's not what I observe here.
>
> - the owning group is always able to change the permissions, even if I
> remove all permissions for this group (group::---).
>
> - other users with write access are not allowed to change permissions
> (either with direct rwx permissions or as member of a group with rwx
> perms)
The docs are confusing here. For permission control,
the semantics of the "acl group control" are being
replaced by "dos filemode". The docs for "acl group control"
state :
In a POSIX filesystem, only the owner of a file or directory and the superuser
can modify the permissions and ACLs on a file. If this parameter is set, then
Samba overrides this restriction, and also allows the primary group owner of a
file or directory to modify the permissions and ACLs on that file.
which is what you are seeing.
The internal code is :
static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid)
{
if ( (errno == EACCES || errno == EPERM)
&& (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn)))
&& current_user_in_group(prim_gid))
{
return True;
}
return False;
}
What we should do I think is add the text from "acl group control" to
the "dos filemode" text.
Jeremy.
More information about the samba
mailing list