[Samba] Samba 4.6.2 does not inherit setgid bit (anymore)
Vincent
maillist at iveze.nl
Tue Aug 14 16:34:52 UTC 2018
Hi everyone,
Just to share the good news: Since Samba version 4.7.1 came with Centos
updates, the setgid bit is propagated to new subdirectories again.
Kind regards, Vincent
On 05/02/2018 17:47, Vincent via samba wrote:
> Hi Lorenzo and Dale,
>
> My setup is like Lorenzo's completely based on setgid being
> propagated. The filesystem should determine the group used starting at
> a certain directory. Different "root" directories have different
> groups, and security is based on groups, not users.
>
> I tried all sorts of settings combinations, alseo "force directory
> mode = 2770", but none propagates setgid.
>
> The odd thing is that it has worked fine for years on versions below
> 4.2.10. Only after udating to 4.6.2 it completely stopped working. I
> wonder if it is a new feature to neglect setgid completely, or that it
> is a bug and that i may expect it working again in future versions.
>
> Kind regards, Vincent
>
>
> On 02/02/2018 18:04, Lorenzo Delana via samba wrote:
>> thanks for suggestion, in other words you use only ACLs for users
>> denying all for groups, unfortunately we had many group such as
>> domain users, secretary, finance, etc belonging to users for which we
>> need to apply at least 770 in order to gain a simplified permission
>> management using groups
>>
>> the actual dirty workaround I applied was to track new files/dir by
>> tailing with follow ( tail -f ) a smbd_audit.log filtered through
>> rsyslog for messages generated by samba full_audit configured to
>> listen "create_file" event; the problem here is that sometime samba
>> full_audit report the event of a file or folder created by the
>> element isn't on the disk yet so as security checkpoint I ended to
>> apply a chgrp -R root nightly on a daily basis.
>>
>> all of these problems could easily resolved if there was existed an
>> option such as an hypothetical "force item group" that allow me to
>> force the group for created item ( note that the current one "force
>> group" option not work for me because it apply as an impersonation of
>> a group for the authenticated user generating more security problems ).
>>
>>
>> Lorenzo Delana |
>> |
>> On 02/02/2018 17:15, Dale Renton wrote:
>>>
>>> have you found a solution that makes "force directory mode = 2770"
>>> able to apply to new created folders ?
>>>
>>>
>>> We have noticed the same thing in CentOS 7. The setgid no longer
>>> works like it did before, so now we create our shares like this
>>> following the instructions from the wiki.
>>>
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>>>
>>>
>>> # chmod 700 /u01/test
>>> # chown root:root /u01/test
>>> # setfacl -m group::--- /u01/test
>>> # setfacl -m default:group::--- /u01/test
>>> # setfacl -m other::--- /u01/test
>>> # setfacl -m default:other::--- /u01/test
>>> # setfacl -m group:unixadmins:rwx /u01/test
>>> # setfacl -m default:group:unixadmins:rwx /u01/test
>>>
>>>
>>> smb.conf
>>>
>>> [test]
>>> comment = test
>>> path = /u01/test
>>> read only = No
>>> inherit acls = yes
>>>
>>>
>>> Dale
>>
>
>
More information about the samba
mailing list