[Samba] access to files continues after removing user from group
Chad William Seys
cwseys at physics.wisc.edu
Wed May 11 14:54:39 UTC 2016
Hi Jeremy,
> Logged in tokens with group lists don't dynamically
> change to reflect changes in the group database.
> The token (user id and group list) is created
> at login time, and will remain the same whilst
> that user is connected.
Thanks for the explanation.
It seems like the token should be used to determine "who" the process is,
while their username and groups they belong to compared against the filesystem
ACL "what" they can access.
Shouldn't Samba be checking the filesystem ACL and the user/group membership
every time a file/dir are accessed? The kernel should do this for Samba if
Samba always dropped privileges to access files, right?
Seems like a security bug waiting to happen not to do this.
Chad.
More information about the samba
mailing list