[Samba] Samba vs Linux file permissions
Robert W. Smith
rwsmith at bislink.net
Fri Jun 3 13:55:12 MDT 2011
Were you using Samba 3.4.6 prior to this? If so, here is the release
note for 3.4.7:
Release Notes for Samba 3.4.7
March 8, 2010
This is a security release in order to address CVE-2010-0728.
In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code
was added to fix a problem with Linux asynchronous IO handling.
This code introduced a bad security flaw on Linux platforms if the
binaries were built on Linux platforms with libcap support.
The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
capabilities, allowing all file system access to be allowed
even when permissions should have denied access.
Regardless if it was working under 3.4.6 you may have had a different
and more serious kind of security problem >:-0
Unfortunately I do not see this as a simple mis-configuration of your
server at this point. The error is being emitted after the smbd/open.c
call to try and open the file. It errors out on trying to open the file
> [2011/06/03 13:29:55, 3] smbd/vfs.c:974(check_reduced_name)
> reduce_name: jmaher/orig_name reduced to /labs/chemgroup/jmaher/orig_name
> [2011/06/03 13:29:55, 3] smbd/reply.c:6030(rename_internals)
> Could not open rename source jmaher/orig_name: NT_STATUS_ACCESS_DENIED
Unfortunately as I do not have an Ubuntu Server 10.04 I can not
experiment with this to help pinpoint an answer for you. Sorry.
BTW, what is shown under the workstations Properties-->Security tab for
the file in question (and when the directory perms are drwxr-x---)? Do
all of the SIDs resolve properly? You may also try posting the error log
using log level = 9 for even more detail--this might also show the SID
to UID/GID mappings.
>On 06/03/2011 01:18 PM, Robert W. Smith wrote:
>> To get back to your issue at hand...Can we see the output of your
>> logs--the entire delete/rename transactions?
>Bob, thanks for your continued interest and help.
>Here is log level = 3 output when trying to change a file within the
>/labs/chemgroup/jmaher directory from the name "orig_name" to
More information about the samba