[Samba] Samba vs Linux file permissions

Robert W. Smith rwsmith at bislink.net
Fri Jun 3 13:55:12 MDT 2011 

John,

Were you using Samba 3.4.6 prior to this? If so, here is the release
note for 3.4.7:

  =============================
                   Release Notes for Samba 3.4.7
			    March 8, 2010
                   =============================


This is a security release in order to address CVE-2010-0728.


o  CVE-2010-0728:
   In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code
   was added to fix a problem with Linux asynchronous IO handling.
   This code introduced a bad security flaw on Linux platforms if the
   binaries were built on Linux platforms with libcap support.
   The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
   capabilities, allowing all file system access to be allowed
   even when permissions should have denied access.

Regardless if it was working under 3.4.6 you may have had a different
and more serious kind of security problem >:-0

Unfortunately I do not see this as a simple mis-configuration of your
server at this point. The error is being emitted after the smbd/open.c
call to try and open the file. It errors out on trying to open the file
for renaming. 


> [2011/06/03 13:29:55,  3] smbd/vfs.c:974(check_reduced_name)
>   reduce_name: jmaher/orig_name reduced to /labs/chemgroup/jmaher/orig_name
> [2011/06/03 13:29:55,  3] smbd/reply.c:6030(rename_internals)
>   Could not open rename source jmaher/orig_name: NT_STATUS_ACCESS_DENIED


Unfortunately as I do not have an Ubuntu Server 10.04 I can not
experiment with this to help pinpoint an answer for you. Sorry.

BTW, what is shown under the workstations Properties-->Security tab for
the file in question (and when the directory perms are drwxr-x---)? Do
all of the SIDs resolve properly? You may also try posting the error log
using log level = 9 for even more detail--this might also show the SID
to UID/GID mappings.

Bob
--bs


>On 06/03/2011 01:18 PM, Robert W. Smith wrote:
>
>...
>
>> John,
>> 
>> To get back to your issue at hand...Can we see the output of your
>> logs--the entire delete/rename transactions? 
>
>Bob, thanks for your continued interest and help.
>
>Here is log level = 3 output when trying to change a file within the
>/labs/chemgroup/jmaher directory from the name "orig_name" to
"new_name":

More information about the samba mailing list