[Samba] Permissions not inherited when moving a file
Sören Busse
soeren.busse at magis.school
Tue Aug 6 13:22:08 UTC 2019
Hello Samba list subscribers,
i have a permission issue when moving files or directories (rename
syscall) between directories with different permissions in my share.
I'm using POSIX ACLs on my shares.
These are my users:
user.one (uid: 101111, gid: 101111)
SAMDOM\Domain Users (gid: 100513)
I've got the following directories:
This is the private (home) directory of user.one. The user is the user
owner and group owner and has full permissions (770)
# file: Users/user.one/
# owner: 101111
# group: 101111
# flags: -s-
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::---
This user also has a public directory where only the user is able to
write files and all other users in this domain should only be able to
read the files:
Whenever the user creates a file in there all "Domain Users (100513)"
will only have read permissions to the files because of the default acls.
# file: Public/user.one/
# owner: 101144
# group: 100513
# flags: -s-
user::rwx
group::r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:mask::r-x
default:other::---
This works absolutely fine when copying or creating files.
However when the user moves a file from the private directory
(Users/user.one) with the following permissions:
# file: Users/user.one/test
# owner: 101111
# group: 101111
user::rwx
group::rwx
mask::rwx
other::---
to the public directory the permissions stay the SAME. This will
practically prevent any user from reading the file, because the move (or
rename syscall) doesn't inherit the default acls. I find this behavior
very unexpected although it makes totally sense from the file systems
point of view.
The main question now is: How to solve this problem?
Here are some ideas I had:
1. Samba should apply the posix acls from the parent directory
automatically after a rename like it is done with the archive bit. This
feature should be off by default and can be enabled in the configuration.
https://github.com/samba-team/samba/blob/master/source3/smbd/reply.c#L7055
2. Use an external service which watches directory movements and then
apply the permissions recursively.
2.1 Inotify: It would be possible to use inotify. The main disadvantage
is the lack of automatic recursive watchers. So your external service
needs to create a separate watch for every directory which might be
quite performance intensive when your share has multiple 100.000
directories (e.g. when some users develop nodejs applications with it's
thousands of dependencies).
2.2 Fanotify: It was updated with kernel 5.1 and now supports
notifications for file movements.
https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.1-Fanotify-Improvements
This however doesn't work with multiple namespaces which is a must for
our use case (docker).
So how do you mitigate this problem in your environment? I think this
scenario isn't so special that some other users wouldn't have the same
issue.
I would appreciate any advice or tips how to solve this problem.
Kind regards
Sören Busse
More information about the samba
mailing list