[Samba] Introducing nogperm
Xen
list at xenhideout.nl
Thu Oct 6 15:27:33 UTC 2016
So yesterday I ran into the issue (again) that my local system (Linux)
would create local restrictions for editing and creating files that were
not mirrored on the samba server.
As a consequence I have introduced the option "nogperm" into my own
kernel that does something similar to what "noperm" does but it works
differently. While noperm skips permission checks entirely, nogperm only
skips them if the local user is part of the group of the file/directory.
Actually, that is pretty much the same thing.
Apart from the boiler plate code, this is the entirety of the patch:
diff -ur cifs_original/cifsfs.c cifs/cifsfs.c
--- cifs_original/cifsfs.c 2016-09-06 17:42:01.000000000 +0200
+++ cifs/cifsfs.c 2016-10-06 03:28:43.450711676 +0200
@@ -230,6 +230,9 @@
return -EACCES;
else
return 0;
+ } else if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_GPERM) &&
+ in_group_p(inode->i_gid)) {
+ return 0;
} else /* file mode might have been restricted at mount time
on the client (above and beyond ACL on servers) for
servers which do not support setting and viewing mode bits,
Consequently, when I now mount using this option, I can now write to
this directory of which my user is in the remote group :).
At the same time, I do not provide access to the entire system. A group
check needs to happen first, and there is no free "world" access in that
sense. Basically, it is "noperm" /IF/ you are part of the remote group.
I am not doing any mapping here, so this is a remote LDAP group
(currently) that I am locally also part of.
Without this parameter I would see the following:
[~]:/nas/pub$ touch b
touch: cannot touch 'b': Permission denied
With the parameter, I now get:
[~]:/nas/pub$ touch a
[~]:/nas/pub$
Success! I must admit I cheered here a little bit ;-).
More information about the samba
mailing list