[Samba] access to files continues after removing user from group

Chad William Seys cwseys at physics.wisc.edu
Wed May 11 14:54:39 UTC 2016

Hi Jeremy,

> Logged in tokens with group lists don't dynamically
> change to reflect changes in the group database.
> The token (user id and group list) is created
> at login time, and will remain the same whilst
> that user is connected.

Thanks for the explanation.

It seems like the token should be used to determine "who" the process is, 
while their username and groups they belong to compared against the filesystem 
ACL "what" they can access.

Shouldn't Samba be checking the filesystem ACL and the user/group membership 
every time a file/dir are accessed?  The kernel should do this for Samba if 
Samba always dropped privileges to access files, right?

Seems like a security bug waiting to happen not to do this.


More information about the samba mailing list