[Samba] Permissions not inherited when moving a file
Rowland penny
rpenny at samba.org
Tue Aug 6 14:23:15 UTC 2019
On 06/08/2019 15:02, Sören Busse via samba wrote:
> Thank you very much for your reply.
>
> Oh sorry, I forgot that:
> Here's my smb.conf for Samba 4.9.4-Debian fileserver. I'm running
> samba with a different Samba-DC (i replaced my domain with samdom):
>
> [global]
> security = ADS
> workgroup = samdom
> realm = samdom.domain.tld
> log file = /var/log/samba/%m.log
> log level = 1
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config samdom : backend = rid
> idmap config samdom : range = 100000-200000
> winbind nss info = template
> template shell = /bin/bash
> template homedir = /home/%U
> username map = /etc/samba/user.map
>
>
> [Share]
> path = /srv/Share
> read only = no
> store dos attributes = no
> create mask = 0770
> force create mode = 0770
> directory mask = 0770
> force directory mode = 0770
> hide files = /desktop.ini/.BIN/
>
> smb.conf for Domain Controller:
> [global]
> bind interfaces only = Yes
> dns forwarder = 10.10.0.1
> interfaces = lo enp3s0
> netbios name = DC-1
> realm = SAMDOM.DOMAIN.TLD
> server role = active directory domain controller
> workgroup = SAMDOM
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.domain.tld/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> Thank you very much in advance
> Kind regards
> Sören Busse
>
> Am 06.08.19 um 15:45 schrieb Rowland penny via samba:
>> On 06/08/2019 14:22, Sören Busse via samba wrote:
>>> Hello Samba list subscribers,
>>>
>>> i have a permission issue when moving files or directories (rename
>>> syscall) between directories with different permissions in my share.
>>> I'm using POSIX ACLs on my shares.
>>>
>>> These are my users:
>>> user.one (uid: 101111, gid: 101111)
>>> SAMDOM\Domain Users (gid: 100513)
>>>
>>> I've got the following directories:
>>>
>>> This is the private (home) directory of user.one. The user is the
>>> user owner and group owner and has full permissions (770)
>>>
>>> # file: Users/user.one/
>>> # owner: 101111
>>> # group: 101111
>>> # flags: -s-
>>> user::rwx
>>> group::rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:group::rwx
>>> default:mask::rwx
>>> default:other::---
>>>
>>> This user also has a public directory where only the user is able to
>>> write files and all other users in this domain should only be able
>>> to read the files:
>>> Whenever the user creates a file in there all "Domain Users
>>> (100513)" will only have read permissions to the files because of
>>> the default acls.
>>>
>>> # file: Public/user.one/
>>> # owner: 101144
>>> # group: 100513
>>> # flags: -s-
>>> user::rwx
>>> group::r-x
>>> mask::r-x
>>> other::---
>>> default:user::rwx
>>> default:group::r-x
>>> default:mask::r-x
>>> default:other::---
>>>
>>>
>>> This works absolutely fine when copying or creating files.
>>> However when the user moves a file from the private directory
>>> (Users/user.one) with the following permissions:
>>>
>>> # file: Users/user.one/test
>>> # owner: 101111
>>> # group: 101111
>>> user::rwx
>>> group::rwx
>>> mask::rwx
>>> other::---
>>>
>>> to the public directory the permissions stay the SAME. This will
>>> practically prevent any user from reading the file, because the move
>>> (or rename syscall) doesn't inherit the default acls. I find this
>>> behavior very unexpected although it makes totally sense from the
>>> file systems point of view.
>>>
>>> The main question now is: How to solve this problem?
>>>
>>> Here are some ideas I had:
>>> 1. Samba should apply the posix acls from the parent directory
>>> automatically after a rename like it is done with the archive bit.
>>> This feature should be off by default and can be enabled in the
>>> configuration.
>>> https://github.com/samba-team/samba/blob/master/source3/smbd/reply.c#L7055
>>>
>>>
>>> 2. Use an external service which watches directory movements and
>>> then apply the permissions recursively.
>>> 2.1 Inotify: It would be possible to use inotify. The main
>>> disadvantage is the lack of automatic recursive watchers. So your
>>> external service needs to create a separate watch for every
>>> directory which might be quite performance intensive when your share
>>> has multiple 100.000 directories (e.g. when some users develop
>>> nodejs applications with it's thousands of dependencies).
>>> 2.2 Fanotify: It was updated with kernel 5.1 and now supports
>>> notifications for file movements.
>>> https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.1-Fanotify-Improvements
>>>
>>> This however doesn't work with multiple namespaces which is a must
>>> for our use case (docker).
>>>
>>> So how do you mitigate this problem in your environment? I think
>>> this scenario isn't so special that some other users wouldn't have
>>> the same issue.
>>>
>>> I would appreciate any advice or tips how to solve this problem.
>>>
>>> Kind regards
>>> Sören Busse
>>>
>> Lets start with seeing your smb.conf, so we can see how you are
>> running Samba.
>>
>> Rowland
>>
>>
>>
>
I would suggest you use Windows ACLs instead, try reading this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Rowland
More information about the samba
mailing list