[Samba] ACLs, groups and suid-bit?

L.P.H. van Belle belle at bazuin.nl
Wed Sep 9 09:40:03 UTC 2020


Forgot the send this yesterday, but here you go. 

For anyone that wants a better understanding of linux rights and acl's AND windows. 
Play with this. 

And yes, its a lot of folders that are created here, but it is usefull..
It creates with install (chmod+chown+mkdir in one) the folders.
For example. 1700 give in windows 
1. Creator Owner.
7. owner 
0 deny
0 deny

But there are more and lots dont use it. 
So a little script that creates the folders for you and you can play and check rights. 


#!/bin/bash 

# Put a path from a share in here. 
FOLDER_IN_SHARE=/srv/samba/share/

mkdir $FOLDER_IN_SHARE/test
cd $FOLDER_IN_SHARE/test

# creating some rights. 
# the first of 4 of the rights
for A in 1 2 3 4 5 6 7
do
  # the second of 4 of the rights. I only used 7 and 5 (x7xx) (x5xx)
  # you can add more, but more is more folders.. 
  for B in 7 5
  do
    # the thirth of 4 of the rights. 
    for C in 7 5
    do
        # last number of 4 of the rights.
	  for D in 0 1 5 7
	  do
		# install does, mkdir, chown, chmod in one go.
	  	# Create folder testfolder-XXXX owner root, group root, with rights ABCD
        	install -d testfolder-${A}${B}${C}${D} -oroot -groot -m${A}${B}${C}${D}
	  done
    done
  done
done
cd ..
exit 0


Now, get a windows pc, login as the Domain Administrator
And look up the rights in windows from all folders created. 
Add a group, see what i does. 

Try, without adding UID/GIDS before you change a security setting
And try wil you added UID/GIDS before you change a security setting

And verify the rights with getfacl

And now you know that. 
Stop using chmod, start using [s,g]etfacl ;-) 
You can use mkdir/install/chmod/chown when you setup the first folders. 

But once you use them in windows, stop useing chmod/chown
But you can make it youself more easy by, setting up a folder from within windows, completely 
And use samba-tool to copy the SDDL. (Security Descriptor Definition Language)
An example shown here, how i do it. 

https://github.com/thctlo/samba4/blob/master/samba-fix-userhome-recursive.sh 

Good luck..


Greetz, 

Louis 
(Invest in yourself, its the cheapest way to gain.)

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Harald Hannelius via samba
> Verzonden: dinsdag 8 september 2020 16:45
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] ACLs, groups and suid-bit?
> 
> 
> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> > On 08/09/2020 14:43, Harald Hannelius wrote:
> >> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> >>> On 08/09/2020 13:55, Harald Hannelius wrote:
> >>>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> >>>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
> [snip]
> >>> The 'new and improved way' is to make use of this:
> >>> 
> >>> vfs objects = acl_xattr
> >> 
> >> This doesn't say much to me (reading the man-page of 
> smb.conf). Does it 
> >> mean to store ACL's in the extra attributes in the 
> underlying filesystem?
> >
> > Yes, it works like this:
> >
> > there is the normal Unix 'ugo' permissions
> >
> > Then there are permissions that can be set with setfacl, 
> these are stored in 
> > an acl
> >
> > Finally there are the permissions that are created from 
> Windows which are 
> > stored  in extended attributes.
> 
> Thanks.
> 
> >>> You set the permissions from Windows, try reading this:
> >>> 
> >>> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >> 
> >> If I don't have a Windows computer, can I use setfacl or chmod?
> > You could try setfacl
> 
> Good, until now I haven't even used ACL on that filesystem. 
> setgid and chmod 
> have been enough until now.
> 
> >> Can I just stop using ACL's and go back to the old way of 
> reading the 
> >> permissions from the unix permissions? User's don't know 
> how to, don't have 
> >> the interest to, or don't want to do this themselves. Nor 
> do I want to 
> >> manage the ACL's at all, most certainly not through a GUI 
> (on Windows).
> > No, you are running an AD domain now.
> 
> As per my other reply that (sadly) forked this thread 'nt acl 
> support = No' 
> and 'inherit permissions = Yes' did exactly what I wanted.
> 
> I couldn't understand why files created in a directory with 
> group 'it' and 
> setgid set didn't get to be owned by the group 'it' but 
> rather by the group 
> 'users'.
> 
> >> I have to test 'inherit permissions (S)' as well.
> >> 
> >> What I want is for new files in the directory to have the 
> same (unix) group 
> >> ownership as the directory has. And that they have write 
> permission for 
> >> that unix-group.
> > OK, stop using your group, (which raises a question: you 
> have (unix) above, 
> > does this mean a group in /etc/group or a group in AD with 
> a gidNumber 
> > attribute ?), use Domain Users instead, all yours are 
> members of Domain 
> > Users.
> 
> By unix-group I actually meant the group on the filesystem 
> (gidNumber). This 
> resolves through winbind to an AD-group.
> 
> But now I have directories each with their own group, and with the 
> setgid- and write-bit set. And directories created under this get the 
> same group owner ship as the parent dir, the group write- and 
> setgid bit, 
> and files created get the group ownership of the parent dir 
> and the group 
> write bit set.
> 
> I think it's best for this implementation to not use ACL's.
> 
> 
> -- 
> 
> Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list