[Samba] share permissions

Kevin Field kev at brantaero.com
Thu Aug 22 09:19:08 MDT 2013


I can understand that.

However, I'm a bit confused about how this is supposed to be practical 
in the case of Samba.  Samba runs as root, so it can see everything. 
I'm telling it to share a particular folder.  Why should it look at the 
ACLs of folders above that, when there's no way they will be otherwise 
accessible via Samba?

The reason I bother with this question is that /home and /srv are on two 
different partitions.  I set it up so that the bulk of space would be 
available under /home.  Okay, so it sounds like links can come to rescue 
here.  I dig around and it seems that hard links on directories have not 
been allowed since the 70's.  Symbolic links could work, but if you 
enable the following of symbolic links in smb.conf, it can open up 
security holes.  So to me it seems there's no workaround for a design 
that doesn't make sense in the first place (checking the ACLs of parent 
directories even if you're root and they're irrelevant to the 
application of sharing the given directory.)

Am I missing something?

Thanks,
Kev

On 2013-08-20 11:22 AM, Ricky Nance wrote:
> Permissions are hard to explain (possibly because I don't fully
> understand them myself I guess), but if you have a directory (say /srv)
> and you give it 0700 permissions, then only the person that owns that
> directory is able to see anything under it, however if you give it 0755,
> then ANYONE can see (the second 5 is R-X for everyone) whats in there,
> now you have a directory under that, lets call it share, (so /srv/share)
> and you give it permissions of 0777, then everyone can read/write in the
> share folder, but no one can write to the /srv folder except the owner.
> So when you had a share under /home/user (which is typically /home is
> 755, and the /home/user is 0700) then no one had access to the
> underlying directories (even if the underlying directory is 777, because
> the user simply can't get to that point)...
>
> If anyone disagree's or could explain this better please feel free to do
> so, I am not opposed to learning new things :)
>
> Ricky
>
>
> On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field <kev at brantaero.com
> <mailto:kev at brantaero.com>> wrote:
>
>     Aha!  Moving it worked.  I can now see it from Windows.  If I chmod
>     777 on the directory I can also add files to it from Windows.
>
>     However, I don't quite understand why the parent of the share
>     directory affects it.  BTW /home/me has 700 permissions and /srv has
>     755.  If the +x on /srv allows the +x on my test share directory to
>     allow Windows to browse it, why doesn't the -w on /srv prevent the
>     +w on my test share directory from allowing Windows to create files
>     there?  I always thought negative permissions took precedence in
>     ACL, generally?
>
>     Thanks,
>     Kev
>
>
>     On 2013-08-20 10:22 AM, Kevin Field wrote:
>
>         Hi Ricky,
>
>         I don't think I should have to reboot.  setenforce is documented
>         to work
>         without rebooting.  If I need to reboot a Linux server to
>         troubleshoot
>         something like this--and I hear SELinux is often a first thing
>         to try
>         disabling to troubleshoot--then it's worse than Windows for
>         rebooting
>         requirements.  But I'm pretty sure that's simply not true.
>
>         Otherwise this is meaningless:
>
>         $ sudo setenforce 0
>         $ sudo getenforce
>         Permissive
>
>         Also I'm a bit confused as to why the permissions on /home
>         should affect
>         /home/me if I've explicitly set them on /home/me and haven't defined
>         some kind of ACL inheritance policy.  Is it the default that higher
>         directories' permissions override lower ones in CentOS?  Or is it a
>         Samba fileshare thing?  I would like to know exactly how this
>         works, but
>         in any case, I'll try moving the share and see how it goes.
>
>         Thanks,
>         Kev
>
>         On 2013-08-17 9:47 AM, Ricky Nance wrote:
>
>             Have a look at
>             http://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html
>             <http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html>
>             and
>             you will probably have to reboot after making the changes. I
>             have seen
>             this cause more problems then not, so I would start with
>             disabling it
>             and see if it fixes your problem. Also since you are using a
>             /home/me
>             before your share, you need to make sure you have at least 755
>             permissions in both /home and /home/me, it might be a good
>             idea to make
>             a directory named /srv/mytestshare instead.
>
>             Ricky
>
>
>             On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field
>             <kev at brantaero.com <mailto:kev at brantaero.com>
>             <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>> wrote:
>
>                  Interestingly, I couldn't turn off selinux using their
>             method:
>
>                  $ sudo echo 0 > /selinux/enforce
>                  -bash: /selinux/enforce: Permission denied
>
>                  Perhaps it's a CentOS thing.  Anyway, `sudo setenforce
>             0` seemed to
>                  work in that it didn't give me an error message, but
>             OTOH didn't
>                  seem to work in that the output of ls -alhDZ was the same:
>
>                  drwxrwxr-x. me   me
>               unconfined_u:object_r:samba_____share_t:s0
>                  mytestshare
>
>                  But in any case, it still gives me the same error from
>             Windows.
>
>                  Also something strange happened, after a while I could
>             not navigate
>                  to \\newdc without a similar error, but I had not been
>             doing
>                  anything in the system, so I'm not sure what might have
>             caused it.
>                    Running `sudo killall samba` and then `sudo samba`
>             made it
>                  suddenly be browseable again.  Maybe not related...not
>             sure...
>
>                  Anyway thanks for your help, Ricky.  Any other ideas?
>               BTW I had set
>                  up the selinux permissions on the mytestshare dir per
>             the HOWTO at
>             http://wiki.centos.org/HowTos/____SetUpSamba
>             <http://wiki.centos.org/HowTos/__SetUpSamba>
>                  <http://wiki.centos.org/__HowTos/SetUpSamba
>             <http://wiki.centos.org/HowTos/SetUpSamba>> .  I'm pretty
>             sure that's
>                  why it says samba_share_t on the ls output above.
>
>                  Kev
>
>
>                  On 2013-08-16 11:52 AM, Ricky Nance wrote:
>
>                      Temporarily turn off selinux, if that fixes your
>             issue you will
>                      need to
>                      adjust the selinux rules to take care of the
>             problem (or just
>                      completely
>                      disable selinux). Also if you do a ls -alhDZ
>                      /home/me/mytestshare before
>                      you turn it off it can tell you if selinux is on,
>             then run that
>                      again
>                      after its turned off to confirm. You can read about
>                      disabling/turning
>                      off selinux
>
>             at�http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html
>             <http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html>
>
>             <http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html
>             <http://www.revsys.com/writings/quicktips/turn-off-selinux.html>>
>
>                      Ricky
>
>
>                      On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field
>             <kev at brantaero.com <mailto:kev at brantaero.com>
>                      <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>
>                      <mailto:kev at brantaero.com
>             <mailto:kev at brantaero.com> <mailto:kev at brantaero.com
>             <mailto:kev at brantaero.com>>>> wrote:
>
>                           I have a share setup on a Samba 4.0.8 / CentOS
>             6.4 box
>             that is
>                           successfully replicating with a W2K3 server. �I'm
>             following the
>                           HOWTO here:
>
>             https://wiki.samba.org/index.______php/Setup_and_configure___file_____shares
>             <https://wiki.samba.org/index.____php/Setup_and_configure_file_____shares>
>
>             <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares
>             <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>>
>
>
>
>             <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares
>             <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>
>
>             <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares
>             <https://wiki.samba.org/index.php/Setup_and_configure_file_shares>>>
>
>                           [mytest]
>                           � � � � path = /home/me/mytestshare <-- with
>             or without
>                      trailing slash
>                           � � � � read only = No
>
>                           On the W2K3 box, I can browse to \\newdc and I
>             see my test
>                      share
>                           listed there. �I can also see it if I connect
>             to newdc in
>                      Computer
>                           Management. �However, what I can't get from
>             either of those
>                      places
>                           is a Security tab if I right-click the share
>             and go to
>                      Properties.
>                           �There's a Share Permissions tab in CM only
>             that says that
>                      Everyone
>                           has Full Control. Despite that, if I try to
>             double-click
>                      the share
>                           in Explorer, I get:
>
>                           ---------------------------
>                           \\newdc
>                           ---------------------------
>                           \\newdc\mytest is not accessible. You might
>             not have
>                      permission to
>                           use this network resource. Contact the
>             administrator of
>                      this server
>                           to find out if you have access permissions.
>
>                           Access is denied.
>
>                           ---------------------------
>                           OK
>                           ---------------------------
>
>                           My account has all privileges I can think of,
>             including the
>                           SeDiskOperatorPrivilege as laid out in the HOWTO.
>
>                           Even if I chmod 777 /home/me/mytestshare I get
>             this error.
>
>                           What am I missing?
>
>                           Thanks,
>                           Kev
>                           --
>                           To unsubscribe from this list go to the
>             following URL and
>                      read the
>                           instructions:
>
>https://lists.samba.org/______mailman/options/samba
>             <https://lists.samba.org/____mailman/options/samba>
>                      <https://lists.samba.org/____mailman/options/samba
>             <https://lists.samba.org/__mailman/options/samba>>
>
>               <https://lists.samba.org/____mailman/options/samba
>             <https://lists.samba.org/__mailman/options/samba>
>                      <https://lists.samba.org/__mailman/options/samba
>             <https://lists.samba.org/mailman/options/samba>>>
>
>
>
>


More information about the samba mailing list