[Samba] Permissions not inherited when moving a file

Rowland penny rpenny at samba.org
Tue Aug 6 13:45:19 UTC 2019


On 06/08/2019 14:22, Sören Busse via samba wrote:
> Hello Samba list subscribers,
>
> i have a permission issue when moving files or directories (rename 
> syscall) between directories with different permissions in my share.
> I'm using POSIX ACLs on my shares.
>
> These are my users:
> user.one (uid: 101111, gid: 101111)
> SAMDOM\Domain Users (gid: 100513)
>
> I've got the following directories:
>
> This is the private (home) directory of user.one. The user is the user 
> owner and group owner and has full permissions (770)
>
> # file: Users/user.one/
> # owner: 101111
> # group: 101111
> # flags: -s-
> user::rwx
> group::rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:mask::rwx
> default:other::---
>
> This user also has a public directory where only the user is able to 
> write files and all other users in this domain should only be able to 
> read the files:
> Whenever the user creates a file in there all "Domain Users (100513)" 
> will only have read permissions to the files because of the default acls.
>
> # file: Public/user.one/
> # owner: 101144
> # group: 100513
> # flags: -s-
> user::rwx
> group::r-x
> mask::r-x
> other::---
> default:user::rwx
> default:group::r-x
> default:mask::r-x
> default:other::---
>
>
> This works absolutely fine when copying or creating files.
> However when the user moves a file from the private directory 
> (Users/user.one) with the following permissions:
>
> # file: Users/user.one/test
> # owner: 101111
> # group: 101111
> user::rwx
> group::rwx
> mask::rwx
> other::---
>
> to the public directory the permissions stay the SAME. This will 
> practically prevent any user from reading the file, because the move 
> (or rename syscall) doesn't inherit the default acls. I find this 
> behavior very unexpected although it makes totally sense from the file 
> systems point of view.
>
> The main question now is: How to solve this problem?
>
> Here are some ideas I had:
> 1. Samba should apply the posix acls from the parent directory 
> automatically after a rename like it is done with the archive bit. 
> This feature should be off by default and can be enabled in the 
> configuration.
> https://github.com/samba-team/samba/blob/master/source3/smbd/reply.c#L7055 
>
>
> 2. Use an external service which watches directory movements and then 
> apply the permissions recursively.
> 2.1 Inotify: It would be possible to use inotify. The main 
> disadvantage is the lack of automatic recursive watchers. So your 
> external service needs to create a separate watch for every directory 
> which might be quite performance intensive when your share has 
> multiple 100.000 directories (e.g. when some users develop nodejs 
> applications with it's thousands of dependencies).
> 2.2 Fanotify: It was updated with kernel 5.1 and now supports 
> notifications for file movements. 
> https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.1-Fanotify-Improvements 
>
> This however doesn't work with multiple namespaces which is a must for 
> our use case (docker).
>
> So how do you mitigate this problem in your environment? I think this 
> scenario isn't so special that some other users wouldn't have the same 
> issue.
>
> I would appreciate any advice or tips how to solve this problem.
>
> Kind regards
> Sören Busse
>
Lets start with seeing your smb.conf, so we can see how you are running 
Samba.

Rowland





More information about the samba mailing list