[Samba] Introducing nogperm

Xen list at xenhideout.nl
Thu Oct 6 15:27:33 UTC 2016


So yesterday I ran into the issue (again) that my local system (Linux) 
would create local restrictions for editing and creating files that were 
not mirrored on the samba server.

As a consequence I have introduced the option "nogperm" into my own 
kernel that does something similar to what "noperm" does but it works 
differently. While noperm skips permission checks entirely, nogperm only 
skips them if the local user is part of the group of the file/directory.

Actually, that is pretty much the same thing.

Apart from the boiler plate code, this is the entirety of the patch:

diff -ur cifs_original/cifsfs.c cifs/cifsfs.c
--- cifs_original/cifsfs.c	2016-09-06 17:42:01.000000000 +0200
+++ cifs/cifsfs.c	2016-10-06 03:28:43.450711676 +0200
@@ -230,6 +230,9 @@
  			return -EACCES;
  		else
  			return 0;
+	} else if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_GPERM) &&
+		in_group_p(inode->i_gid)) {
+			return 0;
  	} else /* file mode might have been restricted at mount time
  		on the client (above and beyond ACL on servers) for
  		servers which do not support setting and viewing mode bits,


Consequently, when I now mount using this option, I can now write to 
this directory of which my user is in the remote group :).

At the same time, I do not provide access to the entire system. A group 
check needs to happen first, and there is no free "world" access in that 
sense. Basically, it is "noperm" /IF/ you are part of the remote group.

I am not doing any mapping here, so this is a remote LDAP group 
(currently) that I am locally also part of.

Without this parameter I would see the following:

[~]:/nas/pub$ touch b
touch: cannot touch 'b': Permission denied

With the parameter, I now get:

[~]:/nas/pub$ touch a
[~]:/nas/pub$

Success! I must admit I cheered here a little bit ;-).



More information about the samba mailing list