[Samba] access to files continues after removing user from group

Jeremy Allison jra at samba.org
Wed May 11 16:07:28 UTC 2016

On Wed, May 11, 2016 at 11:00:49AM -0500, Chad William Seys wrote:
> Hi Jeremy,
> > The kernel checks the token attached to the process
> > at the time the process accesses the filesystem/resource.
> > 
> > This is how OS'es work. It's how they *all* work.
> > 
> > What you're complaining about is that changes to
> > the database that is used to create the process
> > token doesn't dynamically update running process
> > tokens.
> > 
> > That just not the way running processes work
> > I'm afraid.
> Well I'll be!  I verified that this is the case for netatalk as well.  I am 
> surprised the security minded haven't gone bonkers over this.  I wonder what 
> reason(s) keep them pacified?

Because that's just the way the process model works.

> I still don't understand why removing a user from group does not take effect 
> until a new process starts
> BUT ADDING a user to the group takes effect immediately.
> Isn't this inconsistent with the "no dynamic updates to running processes" 
> idea?

Adding a user to a group won't change the token on existing
proceses. If a user attaches to Samba after that user is
added to the group will create a new token attached to
the new smbd process. It won't change any existing smbd

More information about the samba mailing list