[Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr
wdevie at hrcsb.org
Thu Sep 17 08:28:49 MDT 2009
On Wednesday 16 September 2009 06:01:21 pm Miguel Medalha wrote:
> I am ignorant enough on these low-level matters. I "almost" understand
> your statement. But... consider the following:
> - At the filesystem level ALL the permissions are 666 or 777
> - The above are ONLY seen by the VFS layer, not by the client side
> - The VFS module writes the real ACLs as extended attributes only (or
> some other method), always setting them as 666/777 at the filesystem level
> - Clients only see the ACLs provided to them *by the VFS layer* and
> never directly from the filesystem
> Wouldn't this provide any desired type of ACLs? What am I missing here?
> Thank you
That's the direction I'm heading experimentally; there are a few shortcomings
that I can think of right away, but they can be mitigated (and the upside is
big from a usability standpoint, I think)
- If there's a flaw discovered in Samba that takes place in non-root code, the
filesystem level ACLs will still prevent information disclosure. If you turn
over all ACL validation to Samba and that validation is what can be bypassed,
then you've lost a layer of protection.
- POSIX ACLs mean that you can set permissions from Windows and those
permissions will be also affect non-Samba services (FTP and such). In lots of
installations that's probably nice to have, but for a dedicated file server
where the only user "interface" is Samba, it wouldn't matter.
- How to apply actions might be odd; "Traverse Folders" is pretty self-
explanatory and is easy to manage in the virtual ACL database. "Take
Ownership" is slightly harder: if you take ownership of a set of files, does
that imply fake ownership in just ACLs, or real ownership at the POSIX layer?
If "Take Ownership" doesn't change the UNIX owner, it means that any action on
a file owned by POSIX user A but "owned" by NTACL user Z would have to be run
as root. Adding more root operations is generally considered Bad.
A bit farther on, and the logical next step, then, is that you don't actually
need matching POSIX accounts anymore, By the time you've implemented the VFS
ACL the way you and I were thinking (and trust that it's secure) you can just
run the entire Samba infrastructure as UID = samba, and let the VFS ACL layer
take care of all access control. Every file on the server is now owned by
POSIX user "samba", libnss-ldap is no longer necessary....
Of course, that idea has been debated thoroughly both on mailing lists and
anywhere two Samba users meet on the street, so I'm not touching it : )
Is that along the lines you were thinking, or did I totally miss?
More information about the samba