[Samba] Samba not implementing "rights" correctly on server. Shouldn't it use "Capabilities" or equiv?

Jeremy Allison jra at samba.org
Wed Jun 23 16:04:53 MDT 2010

On Tue, Jun 22, 2010 at 05:25:29PM -0700, Linda W wrote:
> (oops...end truncated, on prior)
> On Sunday 20/06/2010 at 10:52 pm, L. A. Walsh wrote:
>>> I assigned the "TakeOwnerShip" right ['Domain Admins'].
>>> I placed myself in that group.
>>> when I try taking ownership of [a] directory [owned
>>> by someone else, it] fails with a permission denied.
>>> [Why doesn't this work?]
>>> If domain rights DON't work this way -- they what are they for?
> someone (privately, so name withheld) responded:
>> Remember, the under lying file system is still in control.  So, you  
>> need to check the acl.  Honestly, the best way to control samba acls  
>> is to set the base unix acls to as close to 777 as you can tolerate,  
>> then control everything with acls.  At least that's been my experience.
>> However, my experience also says that for file manipulation from  
>> Windows, a user mapped to root is the cleanest solution.  Admin group  
>> user really seems more a permission thing for control of the Windows  
>> side of things.
> ----
> How is this not broken?  smbd is running as root.  If I allocate
> the 'take ownership' right to an account and 'smbd', running as root,
> is implementing my policies on my server, then why isn't this,
> for the purposes of this operation (take ownership), giving
> the subprocess the "CAP_CHOWN" capability (or just using 'root' CAP,
> if "sub-CAPS" are not defined) to implement policy?
> Or to respond to the responder -- the underlying file system should
> not be in control -- since I allocated the equivalent of
> CAP_CHOWN for the purposes of allowing me to "Take Ownership"
> to an account.  Smbd, running as root should override local file
> system permissions in this case.
> Is there a reason why it shouldn't?  It's a root-level process, and
> I've told it to grant that 'right' -- I'd expect it to grant sufficient
> capabilities to a sub-process in order for it to implement policy.

Yes, it should do this. If TakeOwnership is granted smbd will
allow a user with this right to chown to themselves.


More information about the samba mailing list