[Samba] Can't change directory owner

Rowland Penny rpenny at samba.org
Tue Feb 7 15:25:47 UTC 2023



On 07/02/2023 14:51, Andrea Cucciarre wrote:
> Hello Rowland,
> 
> It seems to me that it proceeds in the code you pasted 

If you follow the code in try_chown, if you have the restore privilege 
it doesn't seem to do anything (Case 2):

	/* Case (2) / (3) */
	if (lp_enable_privileges()) {
		bool has_take_ownership_priv = security_token_has_privilege(
						get_current_nttok(fsp->conn),
						SEC_PRIV_TAKE_OWNERSHIP);
		bool has_restore_priv = security_token_has_privilege(
						get_current_nttok(fsp->conn),
						SEC_PRIV_RESTORE);

		if (has_restore_priv) {
			; /* Case (2) */
		} else if (has_take_ownership_priv) {
			/* Case (3) */
			if (uid == get_current_uid(fsp->conn)) {
				gid = (gid_t)-1;
			} else {
				has_take_ownership_priv = false;
			}
		}


(since dos
> filemode = Yes) cause in the following previous piece of code it 
> establishes that the user doesn't have the SEC_PRIV_RESTORE, which is 
> what I don't understand cause that user has the SeRestorePrivilege:

But from my reading, having that privilege doesn't do anything.
It gets nearly all the way through that block of code and fails at the 
block I posted earlier and returns with 'NT_STATUS_INVALID_OWNER'

> 
> ===========
>   if (lp_enable_privileges()) {
> bool has_take_ownership_priv = security_token_has_privilege(
> get_current_nttok(fsp->conn),
> SEC_PRIV_TAKE_OWNERSHIP);
> bool has_restore_priv = security_token_has_privilege(
> get_current_nttok(fsp->conn),
> SEC_PRIV_RESTORE);
> 
> if (has_restore_priv) {
> ; /* Case (2) */
> } else if (has_take_ownership_priv) {
> /* Case (3) */
> if (uid == get_current_uid(fsp->conn)) {
> gid = (gid_t)-1;
> } else {
> has_take_ownership_priv = false;
> }
> }
> 
> if (has_take_ownership_priv || has_restore_priv) {
> status = NT_STATUS_OK;
> become_root();
> ret = SMB_VFS_FCHOWN(fsp, uid, gid);
> if (ret != 0) {
> status = map_nt_error_from_unix(errno);
> }
> unbecome_root();
> return status;
> ========
> 
> Please note that  windows Administrator user can successfully change the 
> owner.
> Below the output you requested [note that the user 'andrea' (id 11142) 
> wants to set the owner of the directory to user 'betty' (id 11150)]:
> 
> # testparm -s
> Load smb config files from /opt/samba/etc/smb.conf
> lpcfg_do_global_parameter: WARNING: The "enable privileges" option is 
> deprecated
> Loaded services file OK.
> Weak crypto is allowed
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
>          client ldap sasl wrapping = plain
>          dedicated keytab file = /etc/krb5.keytab
>          disable spoolss = Yes
>          host msdfs = No
>          kerberos method = secrets and keytab
>          load printers = No
>          local master = No
>          log file = /opt/samba/log/%I-%M-%m.log
>          map to guest = Bad User
>          max log size = 100000
>          preferred master = No
>          printcap name = /dev/null
>          realm = HF3.LOCAL
>          security = ADS
>          server string = Data %h
>          winbind enum groups = Yes
>          winbind enum users = Yes
>          winbind expand groups = 4
>          winbind nss info = rfc2307
>          winbind refresh tickets = Yes
>          workgroup = HYPERFILE3
>          idmap config hyperfile3 : schema_mode = rfc2307
>          idmap config hyperfile3 : range = 10000-20000000
>          idmap config hyperfile3 : backend = rid
>          idmap config * : schema_mode = rfc2307
>          idmap config * : range = 3000-4000
>          idmap config * : backend = tdb
>          map acl inherit = Yes
>          vfs objects = zfsacl

What distro is this ? Freebsd ?

Rowland



More information about the samba mailing list