[Samba] Samba 4.6.2 does not inherit setgid bit (anymore)

Vincent maillist at iveze.nl
Tue Aug 14 16:34:52 UTC 2018


Hi everyone,

Just to share the good news: Since Samba version 4.7.1 came with Centos 
updates, the setgid bit is propagated to new subdirectories again.

Kind regards, Vincent


On 05/02/2018 17:47, Vincent via samba wrote:
> Hi Lorenzo and Dale,
>
> My setup is like Lorenzo's completely based on setgid being 
> propagated. The filesystem should determine the group used starting at 
> a certain directory. Different "root" directories have different 
> groups, and security is based on groups, not users.
>
> I tried all sorts of settings combinations, alseo "force directory 
> mode = 2770", but none propagates setgid.
>
> The odd thing is that it has worked fine for years on versions below 
> 4.2.10. Only after udating to 4.6.2 it completely stopped working. I 
> wonder if it is a new feature to neglect setgid completely, or that it 
> is a bug and that i may expect it working again in future versions.
>
> Kind regards, Vincent
>
>
> On 02/02/2018 18:04, Lorenzo Delana via samba wrote:
>> thanks for suggestion, in other words you use only ACLs for users 
>> denying all for groups, unfortunately we had many group such as 
>> domain users, secretary, finance, etc belonging to users for which we 
>> need to apply at least 770 in order to gain a simplified permission 
>> management using groups
>>
>> the actual dirty workaround I applied was to track new files/dir by 
>> tailing with follow ( tail -f ) a smbd_audit.log filtered through 
>> rsyslog for messages generated by samba full_audit configured to 
>> listen "create_file" event; the problem here is that sometime samba 
>> full_audit report the event of a file or folder created by the 
>> element isn't on the disk yet so as security checkpoint I ended to 
>> apply a chgrp -R root nightly on a daily basis.
>>
>> all of these problems could easily resolved if there was existed an 
>> option such as an hypothetical "force item group" that allow me to 
>> force the group for created item ( note that the current one "force 
>> group" option not work for me because it apply as an impersonation of 
>> a group for the authenticated user generating more security problems ).
>>
>>
>> Lorenzo Delana |
>> |
>> On 02/02/2018 17:15, Dale Renton wrote:
>>>
>>>     have you found a solution that makes "force directory mode = 2770"
>>>     able to apply to new created folders ?
>>>
>>>
>>> We have noticed the same thing in CentOS 7. The setgid no longer 
>>> works like it did before, so now we create our shares like this 
>>> following the instructions from the wiki.
>>>
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>>>
>>>
>>> # chmod 700 /u01/test
>>> # chown root:root /u01/test
>>> # setfacl -m group::--- /u01/test
>>> # setfacl -m default:group::--- /u01/test
>>> # setfacl -m other::--- /u01/test
>>> # setfacl -m default:other::--- /u01/test
>>> # setfacl -m group:unixadmins:rwx /u01/test
>>> # setfacl -m default:group:unixadmins:rwx /u01/test
>>>
>>>
>>> smb.conf
>>>
>>>  [test]
>>>   comment = test
>>>   path = /u01/test
>>>   read only = No
>>>   inherit acls = yes
>>>
>>>
>>> Dale
>>
>
>




More information about the samba mailing list