[Samba] access to files continues after removing user from group

Chad William Seys cwseys at physics.wisc.edu
Wed May 11 16:00:49 UTC 2016

Hi Jeremy,

> The kernel checks the token attached to the process
> at the time the process accesses the filesystem/resource.
> This is how OS'es work. It's how they *all* work.
> What you're complaining about is that changes to
> the database that is used to create the process
> token doesn't dynamically update running process
> tokens.
> That just not the way running processes work
> I'm afraid.

Well I'll be!  I verified that this is the case for netatalk as well.  I am 
surprised the security minded haven't gone bonkers over this.  I wonder what 
reason(s) keep them pacified?

I still don't understand why removing a user from group does not take effect 
until a new process starts
BUT ADDING a user to the group takes effect immediately.

Isn't this inconsistent with the "no dynamic updates to running processes" 

Thanks again,

More information about the samba mailing list