[Samba] permissions, and maybe a violation of the least surprise principle

Rowland Penny rpenny at samba.org
Mon Nov 8 19:09:21 UTC 2021 

On Mon, 2021-11-08 at 11:14 -0500, Nick Couchman via samba wrote:
> On Mon, Nov 8, 2021 at 10:54 AM Patrick Goetz via samba <
> samba at lists.samba.org> wrote:
> 
> > I'm down to the last step of my current re-implementation of Samba,
> > namely getting the permissions to work right.
> > 
> > Here is the share section (+ some general) from my smb.conf file:
> > 
> > 
> >     winbind refresh tickets = Yes
> >     vfs objects = acl_xattr
> > 
> > [share]
> >     comment = Share Directory
> >     path = /data/share
> >     guest ok = no
> >     browseable = yes
> >     writeable = yes
> >     create mask = 0770
> >     directory mask = 0770
> >     # inherit permissions = yes
> >     follow symlinks = yes
> > 
> > 
> > 
> > Here are the filesystem permissions on the directory:
> > 
> > root at data2:/data# ls -ld share
> > drwxrws---+ 3 root ea-staff 4096 Nov  6 16:31 share
> > 
> > root at data2:/data# getfacl share
> > # file: share
> > # owner: root
> > # group: ea-staff
> > # flags: -s-
> > user::rwx
> > group::rwx
> > other::---
> > default:user::rwx
> > default:group::rwx
> > default:group:ea-staff:rwx
> > default:mask::rwx
> > default:other::---
> > 
> > 
> > Notice that the setgid bit is set, with group = (security group)
> > ea-staff
> > 
> > So, I login on a Windows machine as a member of the ea-staff group,
> > and
> > save a document to the share:
> > 
> > root at data2:/data/share# ls -l top*
> > -rwxrwx---+ 1 dhales domain users 227 Nov  8 09:12
> > top-secret_document_only_staff_should_see.rtf
> > 
> > 
> > Notice that the setgid bit on the parent folder was ignored, and
> > the
> > primary group assignment to the file is Domain Users.  Worse,
> > anyone in
> > Domain Users has access to write this file, although I suppose the
> > lack
> > of other  "x" permission on the parent folder might prevent access.
> > 
> > 
> You might try the "force group" option in smb.conf - there's an
> option that
> you can use with that, I believe pre-pending the group name with a
> "+",
> that will force the group only if the user is a member of that group.
> 
> 
> > I think I read that if you are using Windows ACLs, then the Windows
> > ACLs
> > are checked and honored first; however this seems like a violation
> > of
> > the least surprise principle, since I'm getting user
> > rights  elevations
> > (namely Domain Users read/write access) that I don't want.
> > 
> > These Wiki pages talk about using POSIX and Windows ACLs
> > respectively:
> > 
> >    
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
> >    
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > 
> >   but I can't figure out how to tell the system I would prefer to
> > base
> > ACLs on POSIX rather than Windows ACLs.
> > 
> > 
> In those two pages, there are two different methods of ACLs that are
> mentioned:
> * POSIX ACLs, which use either basic POSIX permissions, or extended
> POSIX
> ACLs (getfacl and setfacl) to process permissions. The permissions
> that you
> see on the Windows side are just a best-effort mapping of Windows
> permissions to POSIX permissions - there is no additional "storage"
> of
> Windows permissions beyond what you see on the filesystem.


Totally agree, but it depends on how you 'see' the permissions:

Using 'ls':

ls -la /srv/share/file_name
-rwxrwxr-x+ 1 rowland domain users 805 Aug 29 13:31 samba-tool ntacl
get /srv/share/file_name --as-sddl
O:S-1-5-21-1768301897-3342589593-1064908849-
1107G:DUD:(A;;0x001f01ff;;;S-1-5-21-1768301897-3342589593-1064908849-
1107)(A;;0x001200a9;;;DU)(A;;0x001200a9;;;WD)/srv/share/file_name

Using 'getfacl':

getfacl /srv/share/file_name
getfacl: Removing leading '/' from absolute path names
# file: srv/share/file_name
# owner: rowland
# group: domain\040users
user::rwx
user:domain\040users:r-x
group::r-x
group:domain\040users:r-x
group:rowland:rwx
mask::rwx
other::r-x

Using 'samba-tool'

samba-tool ntacl get /srv/share/file_name --as-sddl
O:S-1-5-21-1768301897-3342589593-1064908849-
1107G:DUD:(A;;0x001f01ff;;;S-1-5-21-1768301897-3342589593-1064908849-
1107)(A;;0x001200a9;;;DU)(A;;0x001200a9;;;WD)

Rowland

More information about the samba mailing list