[Samba] access to files continues after removing user from group
Chad William Seys
cwseys at physics.wisc.edu
Wed May 11 16:00:49 UTC 2016
Hi Jeremy,
> The kernel checks the token attached to the process
> at the time the process accesses the filesystem/resource.
>
> This is how OS'es work. It's how they *all* work.
>
> What you're complaining about is that changes to
> the database that is used to create the process
> token doesn't dynamically update running process
> tokens.
>
> That just not the way running processes work
> I'm afraid.
Well I'll be! I verified that this is the case for netatalk as well. I am
surprised the security minded haven't gone bonkers over this. I wonder what
reason(s) keep them pacified?
I still don't understand why removing a user from group does not take effect
until a new process starts
BUT ADDING a user to the group takes effect immediately.
Isn't this inconsistent with the "no dynamic updates to running processes"
idea?
Thanks again,
Chad.
More information about the samba
mailing list