[Samba] share permissions
Kevin Field
kev at brantaero.com
Thu Aug 22 09:54:06 MDT 2013
Oh, so it only looks at the immediate parent's permissions? Not the
grandparent? I find that even more bewildering but a whole lot easier
to work with if that's the case :)
Thanks,
Kev
On 2013-08-22 11:44 AM, Ricky Nance wrote:
> No, you can use /home/srv/share as long as srv (under home) is 755
> permissions. Samba does run as root, but it also still obeys the rules
> underlying file system.
>
> Ricky
>
>
> On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field <kev at brantaero.com
> <mailto:kev at brantaero.com>> wrote:
>
> I can understand that.
>
> However, I'm a bit confused about how this is supposed to be
> practical in the case of Samba. Samba runs as root, so it can see
> everything. I'm telling it to share a particular folder. Why should
> it look at the ACLs of folders above that, when there's no way they
> will be otherwise accessible via Samba?
>
> The reason I bother with this question is that /home and /srv are on
> two different partitions. I set it up so that the bulk of space
> would be available under /home. Okay, so it sounds like links can
> come to rescue here. I dig around and it seems that hard links on
> directories have not been allowed since the 70's. Symbolic links
> could work, but if you enable the following of symbolic links in
> smb.conf, it can open up security holes. So to me it seems there's
> no workaround for a design that doesn't make sense in the first
> place (checking the ACLs of parent directories even if you're root
> and they're irrelevant to the application of sharing the given
> directory.)
>
> Am I missing something?
>
> Thanks,
> Kev
>
>
> On 2013-08-20 11:22 AM, Ricky Nance wrote:
>
> Permissions are hard to explain (possibly because I don't fully
> understand them myself I guess), but if you have a directory
> (say /srv)
> and you give it 0700 permissions, then only the person that owns
> that
> directory is able to see anything under it, however if you give
> it 0755,
> then ANYONE can see (the second 5 is R-X for everyone) whats in
> there,
> now you have a directory under that, lets call it share, (so
> /srv/share)
> and you give it permissions of 0777, then everyone can
> read/write in the
> share folder, but no one can write to the /srv folder except the
> owner.
> So when you had a share under /home/user (which is typically
> /home is
> 755, and the /home/user is 0700) then no one had access to the
> underlying directories (even if the underlying directory is 777,
> because
> the user simply can't get to that point)...
>
> If anyone disagree's or could explain this better please feel
> free to do
> so, I am not opposed to learning new things :)
>
> Ricky
>
>
> On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field <kev at brantaero.com
> <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>> wrote:
>
> Aha! Moving it worked. I can now see it from Windows. If
> I chmod
> 777 on the directory I can also add files to it from Windows.
>
> However, I don't quite understand why the parent of the share
> directory affects it. BTW /home/me has 700 permissions and
> /srv has
> 755. If the +x on /srv allows the +x on my test share
> directory to
> allow Windows to browse it, why doesn't the -w on /srv
> prevent the
> +w on my test share directory from allowing Windows to
> create files
> there? I always thought negative permissions took
> precedence in
> ACL, generally?
>
> Thanks,
> Kev
>
>
> On 2013-08-20 10:22 AM, Kevin Field wrote:
>
> Hi Ricky,
>
> I don't think I should have to reboot. setenforce is
> documented
> to work
> without rebooting. If I need to reboot a Linux server to
> troubleshoot
> something like this--and I hear SELinux is often a
> first thing
> to try
> disabling to troubleshoot--then it's worse than Windows for
> rebooting
> requirements. But I'm pretty sure that's simply not true.
>
> Otherwise this is meaningless:
>
> $ sudo setenforce 0
> $ sudo getenforce
> Permissive
>
> Also I'm a bit confused as to why the permissions on /home
> should affect
> /home/me if I've explicitly set them on /home/me and
> haven't defined
> some kind of ACL inheritance policy. Is it the default
> that higher
> directories' permissions override lower ones in CentOS?
> Or is it a
> Samba fileshare thing? I would like to know exactly
> how this
> works, but
> in any case, I'll try moving the share and see how it goes.
>
> Thanks,
> Kev
>
> On 2013-08-17 9:47 AM, Ricky Nance wrote:
>
> Have a look at
> http://www.centos.org/docs/5/____html/5.2/Deployment_Guide/__sec-__sel-enable-disable.html
> <http://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html>
>
>
> <http://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html
> <http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html>>
> and
> you will probably have to reboot after making the
> changes. I
> have seen
> this cause more problems then not, so I would start
> with
> disabling it
> and see if it fixes your problem. Also since you
> are using a
> /home/me
> before your share, you need to make sure you have
> at least 755
> permissions in both /home and /home/me, it might be
> a good
> idea to make
> a directory named /srv/mytestshare instead.
>
> Ricky
>
>
> On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field
> <kev at brantaero.com <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>>>> wrote:
>
> Interestingly, I couldn't turn off selinux
> using their
> method:
>
> $ sudo echo 0 > /selinux/enforce
> -bash: /selinux/enforce: Permission denied
>
> Perhaps it's a CentOS thing. Anyway, `sudo
> setenforce
> 0` seemed to
> work in that it didn't give me an error
> message, but
> OTOH didn't
> seem to work in that the output of ls -alhDZ
> was the same:
>
> drwxrwxr-x. me me
> unconfined_u:object_r:samba_______share_t:s0
>
> mytestshare
>
> But in any case, it still gives me the same
> error from
> Windows.
>
> Also something strange happened, after a while
> I could
> not navigate
> to \\newdc without a similar error, but I had
> not been
> doing
> anything in the system, so I'm not sure what
> might have
> caused it.
> Running `sudo killall samba` and then `sudo
> samba`
> made it
> suddenly be browseable again. Maybe not
> related...not
> sure...
>
> Anyway thanks for your help, Ricky. Any other
> ideas?
> BTW I had set
> up the selinux permissions on the mytestshare
> dir per
> the HOWTO at
> http://wiki.centos.org/HowTos/______SetUpSamba
> <http://wiki.centos.org/HowTos/____SetUpSamba>
> <http://wiki.centos.org/__HowTos/__SetUpSamba
> <http://wiki.centos.org/HowTos/__SetUpSamba>>
> <http://wiki.centos.org/____HowTos/SetUpSamba
> <http://wiki.centos.org/__HowTos/SetUpSamba>
>
> <http://wiki.centos.org/__HowTos/SetUpSamba
> <http://wiki.centos.org/HowTos/SetUpSamba>>> . I'm pretty
> sure that's
> why it says samba_share_t on the ls output above.
>
> Kev
>
>
> On 2013-08-16 11:52 AM, Ricky Nance wrote:
>
> Temporarily turn off selinux, if that
> fixes your
> issue you will
> need to
> adjust the selinux rules to take care of the
> problem (or just
> completely
> disable selinux). Also if you do a ls -alhDZ
> /home/me/mytestshare before
> you turn it off it can tell you if selinux
> is on,
> then run that
> again
> after its turned off to confirm. You can
> read about
> disabling/turning
> off selinux
>
>
> at�http://www.revsys.com/______writings/quicktips/turn-off-______selinux.html
> <http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html>
>
> <http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html
> <http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html>>
>
>
>
> <http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html
> <http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html>
>
> <http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html
> <http://www.revsys.com/writings/quicktips/turn-off-selinux.html>>>
>
> Ricky
>
>
> On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field
> <kev at brantaero.com <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>>>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>>>>> wrote:
>
> I have a share setup on a Samba 4.0.8
> / CentOS
> 6.4 box
> that is
> successfully replicating with a W2K3
> server. �I'm
> following the
> HOWTO here:
>
> https://wiki.samba.org/index.________php/Setup_and_configure_____file_____shares
> <https://wiki.samba.org/index.______php/Setup_and_configure___file_____shares>
>
> <https://wiki.samba.org/index.______php/Setup_and_configure___file_____shares
> <https://wiki.samba.org/index.____php/Setup_and_configure_file_____shares>>
>
>
> <https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>
>
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares
> <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>>>
>
>
>
>
> <https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>
>
>
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares
> <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>>
>
>
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares
> <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>
>
> <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares
> <https://wiki.samba.org/index.php/Setup_and_configure_file_shares>>>>
>
> [mytest]
> � � � � path = /home/me/mytestshare
> <-- with
> or without
> trailing slash
> � � � � read only = No
>
> On the W2K3 box, I can browse to
> \\newdc and I
> see my test
> share
> listed there. �I can also see it if I
> connect
> to newdc in
> Computer
> Management. �However, what I can't
> get from
> either of those
> places
> is a Security tab if I right-click
> the share
> and go to
> Properties.
> �There's a Share Permissions tab in
> CM only
> that says that
> Everyone
> has Full Control. Despite that, if I
> try to
> double-click
> the share
> in Explorer, I get:
>
> ---------------------------
> \\newdc
> ---------------------------
> \\newdc\mytest is not accessible. You
> might
> not have
> permission to
> use this network resource. Contact the
> administrator of
> this server
> to find out if you have access
> permissions.
>
> Access is denied.
>
> ---------------------------
> OK
> ---------------------------
>
> My account has all privileges I can
> think of,
> including the
> SeDiskOperatorPrivilege as laid out
> in the HOWTO.
>
> Even if I chmod 777
> /home/me/mytestshare I get
> this error.
>
> What am I missing?
>
> Thanks,
> Kev
> --
> To unsubscribe from this list go to the
> following URL and
> read the
> instructions:
>
>
> �https://lists.samba.org/________mailman/options/samba
> <https://lists.samba.org/______mailman/options/samba>
>
> <https://lists.samba.org/______mailman/options/samba
> <https://lists.samba.org/____mailman/options/samba>>
>
>
> <https://lists.samba.org/______mailman/options/samba
> <https://lists.samba.org/____mailman/options/samba>
> <https://lists.samba.org/____mailman/options/samba
> <https://lists.samba.org/__mailman/options/samba>>>
>
>
> <https://lists.samba.org/______mailman/options/samba
> <https://lists.samba.org/____mailman/options/samba>
> <https://lists.samba.org/____mailman/options/samba
> <https://lists.samba.org/__mailman/options/samba>>
>
> <https://lists.samba.org/____mailman/options/samba
> <https://lists.samba.org/__mailman/options/samba>
> <https://lists.samba.org/__mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>>>>
>
>
>
>
>
More information about the samba
mailing list