[Samba] Unable to write to a share that I should have access to
Rob Campbell
robcampbell08105 at gmail.com
Tue Mar 8 22:04:54 UTC 2022
I ran the tests too and got the same results. I thought it would allow you
to change ownership but once you do, you can't do anything else with it.
However, in your scenario, even if you wrote the script and then changed
ownership, even if it were a cron job, it would be limited to the
permissions you have (if you allowed o+x) so the script would only delete
the files you have access to.
I just realized why you said that. I ran that as root.
$ sudo -i
chown ...
so that I wouldn't need to keep typing sudo ...
is there a restriction on vfat? I can view the exfat but not the vfat
mount
/dev/sdf2 on /mnt/seagate type exfat
(rw,relatime,uid=1000,gid=1000,fmask=0002,dmask=0022,iocharset=utf8,errors=remount-ro)
/dev/sde1 on /media/mylocaluseraccount/My Book type vfat
(rw,relatime,uid=1000,gid=1000,fmask=0002,dmask=0002,allow_utime=0020,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
smb.conf:
[Backup]
comment = Media Storage
path = /mnt/seagate/Backup
writeable = yes
read only = no
create mask = 2777
directory mask = 2777
valid users = "@HOME\Backup"
[OldBackup]
comment = Old Media Storage
path = "/media/mylocaluseraccount/My Book/Backups"
writeable = yes
read only = no
create mask = 2777
directory mask = 2777
valid users = "@HOME\Backup"
la /mnt/
total 264K
drwxr-xr-x 3 root root 4.0K Mar 4 14:11 .
drwxr-xr-x 20 root root 4.0K Jan 24 10:48 ..
drwxr-xr-x 8 mylocaluseraccount mylocaluseraccount 256K Mar 8 14:25
seagate
la /media/mylocaluseraccount/My\ Book/
total 260K
drwxrwxr-x 9 mylocaluseraccount mylocaluseraccount 32K Dec 31 1969 .
drwxr-x---+ 3 root root 4.0K Mar 8 14:02 ..
drwxrwxr-x 10 mylocaluseraccount mylocaluseraccount 32K Oct 16 15:13
Backups
drwxrwxr-x 3 mylocaluseraccount mylocaluseraccount 32K Jul 29 2011
footprints
drwxrwxr-x 2 mylocaluseraccount mylocaluseraccount 32K Jun 4 2005
lost+found
drwxrwxr-x 6 mylocaluseraccount mylocaluseraccount 32K Dec 10 2011
.purple
drwxrwxr-x 4 mylocaluseraccount mylocaluseraccount 32K Mar 18 2020
.Trash-1001
drwxrwxr-x 2 mylocaluseraccount mylocaluseraccount 32K Aug 14 2008
wd_mac_tools
drwxrwxr-x 9 mylocaluseraccount mylocaluseraccount 32K Feb 13 2013
wd_windows_tools
smbclient //10.0.0.10/Backup -U mysambauseraccount -c 'ls'
Password for [HOME\mysambauseraccount]:
. D 0 Fri Mar 4 14:14:29 2022
.. D 0 Tue Mar 8 14:25:29 2022
mysql-backup.tar.gz N 36809286 Fri Jun 17 06:56:36 2016
VirtualBox VMs D 0 Fri Oct 29 17:56:04 2021
VBox D 0 Fri Jan 7 12:19:33 2022
Videos D 0 Fri Mar 4 14:14:26 2022
Photos D 0 Fri Mar 4 14:14:29 2022
4883466240 blocks of size 1024. 722027008 blocks available
smbclient //10.0.0.10/OldBackup -U mysambauseraccount -c 'ls'
Password for [HOME\mysambauseraccount]:
NT_STATUS_ACCESS_DENIED listing \*
The mounted smb share on the other computer:
la /home/othercomputerlocaluseraccount/mnt/Backup
lrwxrwxrwx 1 othercomputerlocaluseraccount othercomputerlocaluseraccount 59
Mar 8 14:50 /home/othercomputerlocaluseraccount/mnt/Backup ->
'/run/user/1000/gvfs/smb-share:server=10.0.0.10,share=backup'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.
On Tue, Mar 8, 2022 at 11:52 AM Patrick Goetz <pgoetz at math.utexas.edu>
wrote:
>
>
> On 3/8/22 10:29, Rob Campbell wrote:
> > When the normal user owns the dir, they can run chown, right? Granted,
> > it would only be to update the group or to transfer ownership to another
> > user but I believe that is the only time a user has that permission.
> >
>
> Here I am in my home directory:
>
> pgoetz at frog ~$ pwd
> /home/pgoetz
>
> pgoetz at frog ~$ mkdir testdir
> pgoetz at frog ~$ ls -ld testdir
> drwxr-xr-x 2 pgoetz pgoetz 4096 Mar 8 10:38 testdir
>
> pgoetz at frog testdir$ touch foo
> pgoetz at frog testdir$ ls -l foo
> -rw-r--r-- 1 pgoetz pgoetz 0 Mar 8 10:39 foo
>
> Let's make sure the file is wide open, to remove this possible variable:
>
> pgoetz at frog testdir$ chmod 777 foo
> pgoetz at frog testdir$ ls -l
> total 0
> -rwxrwxrwx 1 pgoetz pgoetz 0 Mar 8 10:39 foo
>
> OK, let me attempt to transfer the permission to another user:
>
> pgoetz at frog testdir$ id sven
> uid=1005(sven) gid=1005(sven) groups=1005(sven)
>
> pgoetz at frog testdir$ chown sven foo
> chown: changing ownership of 'foo': Operation not permitted
>
> I can change the group to a group that I'm in:
>
> pgoetz at frog testdir$ chgrp users foo
> pgoetz at frog testdir$ ls -l
> total 0
> -rwxrwxrwx 1 pgoetz users 0 Mar 8 10:39 foo
>
> But I can't change the group to a group I'm not in:
>
> pgoetz at frog testdir$ chgrp ftp foo
> chgrp: changing group of 'foo': Operation not permitted
>
> I think it's like Louis said: being able to arbitrarily change the uid
> of a file as a non-privileged user would be a huge security hole, since
> I could write a shell script called fml.sh
>
> #!/bin/bash
> cd /
> rm -rf *
>
> Then change the ownership to a privileged user:
>
> $ chown root fml.sh
>
> and now this script runs as root.
>
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > In all things, Be Intentional.
> >
> >
> > On Tue, Mar 8, 2022 at 11:02 AM Patrick Goetz via samba
> > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> >
> >
> >
> > On 3/8/22 00:49, Rowland Penny via samba wrote:
> > > On Mon, 2022-03-07 at 20:40 -0600, Patrick Goetz via samba wrote:
> > >>
> > >> On 3/7/22 13:21, Rob Campbell via samba wrote:
> > >>> Following
> > >>>
> >
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_POSIX_ACLs%23Setting_Standard_UNIX_ACLs&data=04%7C01%7C%7Ced0df6aa1dac4270f65608da00cfee65%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637823190313579415%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=t8D4AdFB32Pgv8Cl4FaQrmWJ%2FoVwaUd7a4CN6fZs68k%3D&reserved=0
> > <
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_POSIX_ACLs%23Setting_Standard_UNIX_ACLs&data=04%7C01%7C%7Cba5a583940604cc0a6d608da0120faf3%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637823538413023756%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=R0JuV4jJ%2BFTq1dQJMZqfInnzjj2DpA%2FoPLN7W%2Bai1Hs%3D&reserved=0
> >
> > >>>
> > >>> # chmod 2770 /srv/samba/Demo/
> > >>> # chown root:"Domain Users" /srv/samba/Demo/
> > >>>
> > >>> When I try this, I get an error message
> > >>> $ chown testuser:"Media Users" TV_Shows/
> > >>> chown: invalid user: ‘testuser:Media Users’
> > >>>
> > >>
> > >> First of all, you can't use chown as an ordinary user. Only
> > root can
> > >> do
> > >> this. Second, I'm pretty sure your syntax is wrong? Try this
> (as
> > >> root):
> > >>
> > >> # chown testuser:"Media Users" TV_Shows
> > >
> > > You can run 'chown' as a normal user, whether you have the
> > permissions
> > > to run it against a particular file is another thing. Also, there
> was
> > > nothing wrong with the syntax.
> > >
> >
> > What permission would allow you to run chown as a normal user?
> >
> >
> > > Rowland
> > >
> > >
> > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> > <
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=04%7C01%7C%7Cba5a583940604cc0a6d608da0120faf3%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637823538413023756%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mp39iBl%2FjwQCryH4w32oRSrvwdy56ETEihQJqr2PYfw%3D&reserved=0
> >
> >
>
More information about the samba
mailing list