[Samba] Reload config with SIGHUP does not immediately revoke access to host removed from hosts allow

L A Walsh samba at tlinx.org
Thu Feb 1 05:45:13 UTC 2018

Akash Jain via samba wrote:
> Hello All
> My samba-4.x server has lot of registry shares added. There are windows
> clients connected to it and I wanted to remove the access to one of the
> hosts.
    Just a guess, but since cifs/samba uses 'tcp' for client<->server
connections.  The hosts.allow/deny mechanism does its access checking
when a new connection is attempted.  Since the clients were already
connected, there was no new check for those clients already connected.

> I did net conf setparm to set the updated list of IPs in "hosts allow"
> param and then reloaded samba config with killall -1 smbd .
> I see that the host which is not part of the hosts allow but already have a
> open window in Windows Explorer still continues to get the access for good
> amount of time which is a security flaw.
    You could say that, but would you really want access checking done for
every byte you read or write on a file?  Worse, the access checking
involves many trips over the network. 

    On *nix systems, once you have a file descriptor open -- you have a
handle to anything accessible with that descriptor.  In the case of
Windows -- an entire windows session is funneled through 1 TCP connection
between each server and client.  That limitation (1 connection between
client and server) also is a limiting factor in file transfers, since
multiple CPU's and multiple connections that might enable significantly
faster performance through parallel connections aren't easily done.

    Only in cifs 3.x (not sure the sub-num) has MS realized this and started
trying to allow some work to be done in additional streams.

    To enforce your rules, you must make sure clients are disconnected from
the server so they have to go through the initial access checking in
the hosts.xxx files.


More information about the samba mailing list