[Samba] access to files continues after removing user from group

Chad William Seys cwseys at physics.wisc.edu
Wed May 11 01:38:22 UTC 2016


Hello all,
	I've noticed that removing a user from a group in /etc/group does not 
immediately prevent the user from accessing files / directories which the 
group 
still has access to.
	For example, say user 'cwseyst2' only has access to access to 'plc' if it 
is in group 'plc-staff'.
# getfacl plc
# file: plc
# owner: smbadmin
# group: smbadmin
user::rwx
group::rwx
group:plc-staff:rwx
group:wheel:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:plc-staff:rwx
default:group:wheel:rwx
default:mask::rwx
default:other::---

If plc-group starts off without cwseyst2, then as expected cwseyst2 cannot 
access.

Then I add cwseyst2 to plc-staff by editing /etc/group and as expected access 
is possible.

The surprise comes in when I remove cwseyst2 from plc-staff by editing 
/etc/group .  cwseyst2 can continue accessing plc!  It can create files!

cwseyst2 only looses access when smbd is restarted.  (Or the smbd process 
acting for cwseyst2 is killed and respawned.) It seems as though the smbd 
process which is acting for cwseyst2 is running as root and can access the 
files as root instead of cwseyst2.

The computer does not have nscd.

Does samba not drop privileges aggressively enough?  Have I set up samba 
wrong?

Thanks!
Chad.







More information about the samba mailing list