[Samba] vfs_recycle permission bug?!

Marco Gaiarin gaio at sv.lnf.it
Wed Oct 16 13:13:57 UTC 2019 

Samba 4.8 (Louis debian repo), DM.


Today i've had to recovery a deleted file in that share, that use
'vfs_recycle' modules:

  [Work]
	comment = Spazio di Lavoro Utente
	map acl inherit = Yes
	path = /srv/work
	read only = No
	store dos attributes = Yes
	vfs objects = acl_xattr recycle full_audit
	volume = Work
	full_audit:failure = none
	full_audit:success = mkdir rmdir read pread write pwrite rename unlink
	full_audit:prefix = %S|%d|%I|%M|%u
	recycle:exclude = *.TMP,*.tmp,*.temp,*.o,*.obj,~$*
	recycle:versions = yes
	recycle:keeptree = yes
	recycle:repository = .cestino/%U

but i've misclick on user name, and found that i can read ALL deleted
files of ALL users. ;-(

Looking at file permissions:

	root at vdmsv1:~# ls -la /srv/work/.cestino/
	totale 12
	drwxrwxrwt 107 root                domain users 4096 ott 16 14:53 .
	drwxr-xr-x  95 root                root         4096 apr  5  2019 ..
	drwxr-xr-x   4 abarro              domain users   61 set 30 11:51 abarro
	drwxr-xr-x   3 agnese              domain users   40 set 10 16:47 agnese
	drwxr-xr-x   5 aleggi              domain users   66 set  5 08:53 aleggi
	[...]

note that there's no ACL:

	root at vdmsv1:~# getfacl /srv/work/.cestino/abarro
	getfacl: Removing leading '/' from absolute path names
	# file: srv/work/.cestino/abarro
	# owner: abarro
	# group: domain\040users
	user::rwx
	group::r-x
	other::r-x

I've also tried to add to share definition:

	recycle:subdir_mode = 0700
	recycle:directory_mode = 0700

(that the manpage say they are the default), but nothing changed.


I've hit a bug?


If i've not misconfigured something security implication of this
behaviour are serious...


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list