[Samba] access to files continues after removing user from group

Jeremy Allison jra at samba.org
Wed May 11 09:19:07 UTC 2016

On Tue, May 10, 2016 at 08:38:22PM -0500, Chad William Seys wrote:
> Hello all,
> 	I've noticed that removing a user from a group in /etc/group does not 
> immediately prevent the user from accessing files / directories which the 
> group 
> still has access to.
> 	For example, say user 'cwseyst2' only has access to access to 'plc' if it 
> is in group 'plc-staff'.
> # getfacl plc
> # file: plc
> # owner: smbadmin
> # group: smbadmin
> user::rwx
> group::rwx
> group:plc-staff:rwx
> group:wheel:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::r-x
> default:group:plc-staff:rwx
> default:group:wheel:rwx
> default:mask::rwx
> default:other::---
> If plc-group starts off without cwseyst2, then as expected cwseyst2 cannot 
> access.
> Then I add cwseyst2 to plc-staff by editing /etc/group and as expected access 
> is possible.
> The surprise comes in when I remove cwseyst2 from plc-staff by editing 
> /etc/group .  cwseyst2 can continue accessing plc!  It can create files!
> cwseyst2 only looses access when smbd is restarted.  (Or the smbd process 
> acting for cwseyst2 is killed and respawned.) It seems as though the smbd 
> process which is acting for cwseyst2 is running as root and can access the 
> files as root instead of cwseyst2.
> The computer does not have nscd.
> Does samba not drop privileges aggressively enough?  Have I set up samba 
> wrong?

Logged in tokens with group lists don't dynamically
change to reflect changes in the group database.
The token (user id and group list) is created
at login time, and will remain the same whilst
that user is connected.

More information about the samba mailing list