[Samba] access to files continues after removing user from group
Chad William Seys
cwseys at physics.wisc.edu
Wed May 11 01:38:22 UTC 2016
Hello all,
I've noticed that removing a user from a group in /etc/group does not
immediately prevent the user from accessing files / directories which the
group
still has access to.
For example, say user 'cwseyst2' only has access to access to 'plc' if it
is in group 'plc-staff'.
# getfacl plc
# file: plc
# owner: smbadmin
# group: smbadmin
user::rwx
group::rwx
group:plc-staff:rwx
group:wheel:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:plc-staff:rwx
default:group:wheel:rwx
default:mask::rwx
default:other::---
If plc-group starts off without cwseyst2, then as expected cwseyst2 cannot
access.
Then I add cwseyst2 to plc-staff by editing /etc/group and as expected access
is possible.
The surprise comes in when I remove cwseyst2 from plc-staff by editing
/etc/group . cwseyst2 can continue accessing plc! It can create files!
cwseyst2 only looses access when smbd is restarted. (Or the smbd process
acting for cwseyst2 is killed and respawned.) It seems as though the smbd
process which is acting for cwseyst2 is running as root and can access the
files as root instead of cwseyst2.
The computer does not have nscd.
Does samba not drop privileges aggressively enough? Have I set up samba
wrong?
Thanks!
Chad.
More information about the samba
mailing list