[Samba] Samba 4.9.4 drops group write permission on files (at file access time) with 'vfs objects' enabled
Peter Eriksson
pen at lysator.liu.se
Wed Feb 27 15:53:48 UTC 2019
We just noticed an interesting bug/misfeature on our Samba 4.9.4 servers (FreeBSD 11.2). The same effect is also visible on Samba 4.8.3 on CentOS 7.
Start with a directory that looks like this:
root at filur00:/tmp/test # ls -la
total 50
drwxrwx--- 2 peter86 uf-iti-all 3 Feb 27 11:27 .
drwxrwxrwt 10 root wheel 56 Feb 27 16:41 ..
-rw-rw---- 1 mikha02 uf-iti-all 6 Feb 27 11:27 hello.txt
Ie, no ACLs, just “pure” Unix permission bits. Share it as usual via smb.conf.
With a smb.conf file with any “vfs objects” enabled (doesn’t matter which, or even with an empty list):
vfs objects = ;; empty list
vfs objects = shadow_copy2 zfsacl full_audit
Then if you (from a Windows machine) look at the file's Properties -> Security you will find that the Write access for the Group entry has been removed from the ACL list displayed (and Samba will give Windows users access errors when they try to write to that file).
With a smb.conf file without a “vfs objects” line you will correctly get the right Write Access for the Group in the ACL.
It feels like having any “vfs objects” config line removes some kind of default VFS module that does something that it should call instead of calling it last….
- Peter
More information about the samba
mailing list