[Samba] Permissions not inherited when moving a file

Tue Aug 6 13:22:08 UTC 2019

Hello Samba list subscribers,

i have a permission issue when moving files or directories (rename 
syscall) between directories with different permissions in my share.
I'm using POSIX ACLs on my shares.

These are my users:
user.one (uid: 101111, gid: 101111)
SAMDOM\Domain Users (gid: 100513)

I've got the following directories:

This is the private (home) directory of user.one. The user is the user 
owner and group owner and has full permissions (770)

# file: Users/user.one/
# owner: 101111
# group: 101111
# flags: -s-
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::---

This user also has a public directory where only the user is able to 
write files and all other users in this domain should only be able to 
read the files:
Whenever the user creates a file in there all "Domain Users (100513)" 
will only have read permissions to the files because of the default acls.

# file: Public/user.one/
# owner: 101144
# group: 100513
# flags: -s-
user::rwx
group::r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:mask::r-x
default:other::---

This works absolutely fine when copying or creating files.
However when the user moves a file from the private directory 
(Users/user.one) with the following permissions:

# file: Users/user.one/test
# owner: 101111
# group: 101111
user::rwx
group::rwx
mask::rwx
other::---

to the public directory the permissions stay the SAME. This will 
practically prevent any user from reading the file, because the move (or 
rename syscall) doesn't inherit the default acls. I find this behavior 
very unexpected although it makes totally sense from the file systems 
point of view.

The main question now is: How to solve this problem?

Here are some ideas I had:
1. Samba should apply the posix acls from the parent directory 
automatically after a rename like it is done with the archive bit. This 
feature should be off by default and can be enabled in the configuration.
https://github.com/samba-team/samba/blob/master/source3/smbd/reply.c#L7055

2. Use an external service which watches directory movements and then 
apply the permissions recursively.
2.1 Inotify: It would be possible to use inotify. The main disadvantage 
is the lack of automatic recursive watchers. So your external service 
needs to create a separate watch for every directory which might be 
quite performance intensive when your share has multiple 100.000 
directories (e.g. when some users develop nodejs applications with it's 
thousands of dependencies).
2.2 Fanotify: It was updated with kernel 5.1 and now supports 
notifications for file movements. 
https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.1-Fanotify-Improvements 

This however doesn't work with multiple namespaces which is a must for 
our use case (docker).

So how do you mitigate this problem in your environment? I think this 
scenario isn't so special that some other users wouldn't have the same 
issue.

I would appreciate any advice or tips how to solve this problem.

Kind regards
Sören Busse