[Samba] vfs_recycle permission bug?!

L.P.H. van Belle belle at bazuin.nl
Wed Oct 16 14:32:13 UTC 2019 

Hai Marco, 

Can you check this acl and attr are these installed? 

type acl 
type attr
Or just run : apt-get install -y acl attr 

Try this : 

chmod 1770 /srv/work/.cestino/

Which sets : "creator Owner" (1), Owner (7), Group (7), World  (0)
So the owner and groups can create anything but your enforcing "creator owner" 

Then set: 
 	recycle:subdir_mode = 1700
 	recycle:directory_mode = 1700

I've not fully checked it, im to buzy with my builder atm. 
But im sure its something like that. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: woensdag 16 oktober 2019 15:14
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] vfs_recycle permission bug?!
> 
> 
> Samba 4.8 (Louis debian repo), DM.
> 
> 
> Today i've had to recovery a deleted file in that share, that use
> 'vfs_recycle' modules:
> 
>   [Work]
> 	comment = Spazio di Lavoro Utente
> 	map acl inherit = Yes
> 	path = /srv/work
> 	read only = No
> 	store dos attributes = Yes
> 	vfs objects = acl_xattr recycle full_audit
> 	volume = Work
> 	full_audit:failure = none
> 	full_audit:success = mkdir rmdir read pread write 
> pwrite rename unlink
> 	full_audit:prefix = %S|%d|%I|%M|%u
> 	recycle:exclude = *.TMP,*.tmp,*.temp,*.o,*.obj,~$*
> 	recycle:versions = yes
> 	recycle:keeptree = yes
> 	recycle:repository = .cestino/%U
> 
> but i've misclick on user name, and found that i can read ALL deleted
> files of ALL users. ;-(
> 
> Looking at file permissions:
> 
> 	root at vdmsv1:~# ls -la /srv/work/.cestino/
> 	totale 12
> 	drwxrwxrwt 107 root                domain users 4096 
> ott 16 14:53 .
> 	drwxr-xr-x  95 root                root         4096 
> apr  5  2019 ..
> 	drwxr-xr-x   4 abarro              domain users   61 
> set 30 11:51 abarro
> 	drwxr-xr-x   3 agnese              domain users   40 
> set 10 16:47 agnese
> 	drwxr-xr-x   5 aleggi              domain users   66 
> set  5 08:53 aleggi
> 	[...]
> 
> note that there's no ACL:
> 
> 	root at vdmsv1:~# getfacl /srv/work/.cestino/abarro
> 	getfacl: Removing leading '/' from absolute path names
> 	# file: srv/work/.cestino/abarro
> 	# owner: abarro
> 	# group: domain\040users
> 	user::rwx
> 	group::r-x
> 	other::r-x
> 
> I've also tried to add to share definition:
> 
> 	recycle:subdir_mode = 0700
> 	recycle:directory_mode = 0700
> 
> (that the manpage say they are the default), but nothing changed.
> 
> 
> I've hit a bug?
> 
> 
> If i've not misconfigured something security implication of this
> behaviour are serious...
> 
> 
> Thanks.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list