[Samba] Permissions not inherited when moving a file
Sören Busse
soeren.busse at magis.school
Tue Aug 6 14:02:02 UTC 2019
Thank you very much for your reply.
Oh sorry, I forgot that:
Here's my smb.conf for Samba 4.9.4-Debian fileserver. I'm running samba
with a different Samba-DC (i replaced my domain with samdom):
[global]
security = ADS
workgroup = samdom
realm = samdom.domain.tld
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config samdom : backend = rid
idmap config samdom : range = 100000-200000
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
username map = /etc/samba/user.map
[Share]
path = /srv/Share
read only = no
store dos attributes = no
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
hide files = /desktop.ini/.BIN/
smb.conf for Domain Controller:
[global]
bind interfaces only = Yes
dns forwarder = 10.10.0.1
interfaces = lo enp3s0
netbios name = DC-1
realm = SAMDOM.DOMAIN.TLD
server role = active directory domain controller
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Thank you very much in advance
Kind regards
Sören Busse
Am 06.08.19 um 15:45 schrieb Rowland penny via samba:
> On 06/08/2019 14:22, Sören Busse via samba wrote:
>> Hello Samba list subscribers,
>>
>> i have a permission issue when moving files or directories (rename
>> syscall) between directories with different permissions in my share.
>> I'm using POSIX ACLs on my shares.
>>
>> These are my users:
>> user.one (uid: 101111, gid: 101111)
>> SAMDOM\Domain Users (gid: 100513)
>>
>> I've got the following directories:
>>
>> This is the private (home) directory of user.one. The user is the
>> user owner and group owner and has full permissions (770)
>>
>> # file: Users/user.one/
>> # owner: 101111
>> # group: 101111
>> # flags: -s-
>> user::rwx
>> group::rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:group::rwx
>> default:mask::rwx
>> default:other::---
>>
>> This user also has a public directory where only the user is able to
>> write files and all other users in this domain should only be able to
>> read the files:
>> Whenever the user creates a file in there all "Domain Users (100513)"
>> will only have read permissions to the files because of the default
>> acls.
>>
>> # file: Public/user.one/
>> # owner: 101144
>> # group: 100513
>> # flags: -s-
>> user::rwx
>> group::r-x
>> mask::r-x
>> other::---
>> default:user::rwx
>> default:group::r-x
>> default:mask::r-x
>> default:other::---
>>
>>
>> This works absolutely fine when copying or creating files.
>> However when the user moves a file from the private directory
>> (Users/user.one) with the following permissions:
>>
>> # file: Users/user.one/test
>> # owner: 101111
>> # group: 101111
>> user::rwx
>> group::rwx
>> mask::rwx
>> other::---
>>
>> to the public directory the permissions stay the SAME. This will
>> practically prevent any user from reading the file, because the move
>> (or rename syscall) doesn't inherit the default acls. I find this
>> behavior very unexpected although it makes totally sense from the
>> file systems point of view.
>>
>> The main question now is: How to solve this problem?
>>
>> Here are some ideas I had:
>> 1. Samba should apply the posix acls from the parent directory
>> automatically after a rename like it is done with the archive bit.
>> This feature should be off by default and can be enabled in the
>> configuration.
>> https://github.com/samba-team/samba/blob/master/source3/smbd/reply.c#L7055
>>
>>
>> 2. Use an external service which watches directory movements and then
>> apply the permissions recursively.
>> 2.1 Inotify: It would be possible to use inotify. The main
>> disadvantage is the lack of automatic recursive watchers. So your
>> external service needs to create a separate watch for every directory
>> which might be quite performance intensive when your share has
>> multiple 100.000 directories (e.g. when some users develop nodejs
>> applications with it's thousands of dependencies).
>> 2.2 Fanotify: It was updated with kernel 5.1 and now supports
>> notifications for file movements.
>> https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.1-Fanotify-Improvements
>>
>> This however doesn't work with multiple namespaces which is a must
>> for our use case (docker).
>>
>> So how do you mitigate this problem in your environment? I think this
>> scenario isn't so special that some other users wouldn't have the
>> same issue.
>>
>> I would appreciate any advice or tips how to solve this problem.
>>
>> Kind regards
>> Sören Busse
>>
> Lets start with seeing your smb.conf, so we can see how you are
> running Samba.
>
> Rowland
>
>
>
More information about the samba
mailing list