[Samba] Worm VFS module not working?
Jeremy Allison
jra at samba.org
Fri Jul 2 17:07:08 UTC 2021
On Thu, Jul 01, 2021 at 08:56:41PM -0700, Aaron C. de Bruyn via samba wrote:
>Darn! Thanks for the info Andrew.
>I don't speak C, otherwise I'd give it a shot.
>It's super handy for when cryptolocker comes knocking because one of your
>clients is still running Exchange 2007 and Office 2007 in the year 2021...
>;)
Yes Andrew is right, it needs a maintainer.
>On Thu, Jul 1, 2021 at 8:50 PM Andrew Bartlett <abartlet at samba.org> wrote:
>
>> On Thu, 2021-07-01 at 20:34 -0700, Aaron C. de Bruyn via samba wrote:
>> > I'm beginning to think the 'worm' VFS module might not be working.
>> >
>> > I've spent the last 30 minutes or so playing around with it...and I
>> > *swear*
>> > I had it working when I implemented it about 6 months ago...but it
>> > lets me
>> > delete/rename/modify any file.
>> >
>> > Here's a sample share definition from one of my NAS boxen:
>> >
>> > [archive]
>> > comment = Archive Folder
>> > path = /tank/archive
>> > acl allow execute always = False
>> > guest ok = False
>> > read only = False
>> > valid users = adebruyn
>> > vfs objects = worm shadow_copy2 full_audit
>> > worm:grace_period = 300
>> >
>> >
>> > If I connect to the archive folder, I can delete anything--even files
>> > with
>> > dates from 2016.
>> >
>> > Is there something to the vfs objects ordering or maybe the module is
>> > broken in my really super old 4.9.5-Debian package?
>>
>> While this module is admirable, I wouldn't recommend it. Since over
>> two years ago this MR has remained unmerged in our GitLab:
>>
>> Prevent Linux client ability to disobey VFS WORM
>> https://gitlab.com/samba-team/samba/-/merge_requests/191
>>
>> There is no testsuite and there has been no maintenance since it was
>> added other than suspiciously changes for the VFS rewrite (I would have
>> expected more).
The emphasis in the VFS rewrite has been to make the core
fileserver functionality work correctly with handle-based
calls, and to keep the obscure modules compiling and working,
but not functionally change them to be handle based.
That's probably why you haven't seen many changes here.
Once the VFS rewrite is done (and I'm expecting - hoping, really :-)
that it will be completed this year then we can go through some
of these obscure unmaintained modules and make the fix/delete
decision.
More information about the samba
mailing list