[Samba] Samba 4.6.2 does not inherit setgid bit (anymore)
maillist at iveze.nl
Tue Aug 14 16:34:52 UTC 2018
Just to share the good news: Since Samba version 4.7.1 came with Centos
updates, the setgid bit is propagated to new subdirectories again.
Kind regards, Vincent
On 05/02/2018 17:47, Vincent via samba wrote:
> Hi Lorenzo and Dale,
> My setup is like Lorenzo's completely based on setgid being
> propagated. The filesystem should determine the group used starting at
> a certain directory. Different "root" directories have different
> groups, and security is based on groups, not users.
> I tried all sorts of settings combinations, alseo "force directory
> mode = 2770", but none propagates setgid.
> The odd thing is that it has worked fine for years on versions below
> 4.2.10. Only after udating to 4.6.2 it completely stopped working. I
> wonder if it is a new feature to neglect setgid completely, or that it
> is a bug and that i may expect it working again in future versions.
> Kind regards, Vincent
> On 02/02/2018 18:04, Lorenzo Delana via samba wrote:
>> thanks for suggestion, in other words you use only ACLs for users
>> denying all for groups, unfortunately we had many group such as
>> domain users, secretary, finance, etc belonging to users for which we
>> need to apply at least 770 in order to gain a simplified permission
>> management using groups
>> the actual dirty workaround I applied was to track new files/dir by
>> tailing with follow ( tail -f ) a smbd_audit.log filtered through
>> rsyslog for messages generated by samba full_audit configured to
>> listen "create_file" event; the problem here is that sometime samba
>> full_audit report the event of a file or folder created by the
>> element isn't on the disk yet so as security checkpoint I ended to
>> apply a chgrp -R root nightly on a daily basis.
>> all of these problems could easily resolved if there was existed an
>> option such as an hypothetical "force item group" that allow me to
>> force the group for created item ( note that the current one "force
>> group" option not work for me because it apply as an impersonation of
>> a group for the authenticated user generating more security problems ).
>> Lorenzo Delana |
>> On 02/02/2018 17:15, Dale Renton wrote:
>>> have you found a solution that makes "force directory mode = 2770"
>>> able to apply to new created folders ?
>>> We have noticed the same thing in CentOS 7. The setgid no longer
>>> works like it did before, so now we create our shares like this
>>> following the instructions from the wiki.
>>> # chmod 700 /u01/test
>>> # chown root:root /u01/test
>>> # setfacl -m group::--- /u01/test
>>> # setfacl -m default:group::--- /u01/test
>>> # setfacl -m other::--- /u01/test
>>> # setfacl -m default:other::--- /u01/test
>>> # setfacl -m group:unixadmins:rwx /u01/test
>>> # setfacl -m default:group:unixadmins:rwx /u01/test
>>> comment = test
>>> path = /u01/test
>>> read only = No
>>> inherit acls = yes
More information about the samba