[Samba] Can't change directory owner
Rowland Penny
rpenny at samba.org
Tue Feb 7 15:25:47 UTC 2023
On 07/02/2023 14:51, Andrea Cucciarre wrote:
> Hello Rowland,
>
> It seems to me that it proceeds in the code you pasted
If you follow the code in try_chown, if you have the restore privilege
it doesn't seem to do anything (Case 2):
/* Case (2) / (3) */
if (lp_enable_privileges()) {
bool has_take_ownership_priv = security_token_has_privilege(
get_current_nttok(fsp->conn),
SEC_PRIV_TAKE_OWNERSHIP);
bool has_restore_priv = security_token_has_privilege(
get_current_nttok(fsp->conn),
SEC_PRIV_RESTORE);
if (has_restore_priv) {
; /* Case (2) */
} else if (has_take_ownership_priv) {
/* Case (3) */
if (uid == get_current_uid(fsp->conn)) {
gid = (gid_t)-1;
} else {
has_take_ownership_priv = false;
}
}
(since dos
> filemode = Yes) cause in the following previous piece of code it
> establishes that the user doesn't have the SEC_PRIV_RESTORE, which is
> what I don't understand cause that user has the SeRestorePrivilege:
But from my reading, having that privilege doesn't do anything.
It gets nearly all the way through that block of code and fails at the
block I posted earlier and returns with 'NT_STATUS_INVALID_OWNER'
>
> ===========
> if (lp_enable_privileges()) {
> bool has_take_ownership_priv = security_token_has_privilege(
> get_current_nttok(fsp->conn),
> SEC_PRIV_TAKE_OWNERSHIP);
> bool has_restore_priv = security_token_has_privilege(
> get_current_nttok(fsp->conn),
> SEC_PRIV_RESTORE);
>
> if (has_restore_priv) {
> ; /* Case (2) */
> } else if (has_take_ownership_priv) {
> /* Case (3) */
> if (uid == get_current_uid(fsp->conn)) {
> gid = (gid_t)-1;
> } else {
> has_take_ownership_priv = false;
> }
> }
>
> if (has_take_ownership_priv || has_restore_priv) {
> status = NT_STATUS_OK;
> become_root();
> ret = SMB_VFS_FCHOWN(fsp, uid, gid);
> if (ret != 0) {
> status = map_nt_error_from_unix(errno);
> }
> unbecome_root();
> return status;
> ========
>
> Please note that windows Administrator user can successfully change the
> owner.
> Below the output you requested [note that the user 'andrea' (id 11142)
> wants to set the owner of the directory to user 'betty' (id 11150)]:
>
> # testparm -s
> Load smb config files from /opt/samba/etc/smb.conf
> lpcfg_do_global_parameter: WARNING: The "enable privileges" option is
> deprecated
> Loaded services file OK.
> Weak crypto is allowed
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
> client ldap sasl wrapping = plain
> dedicated keytab file = /etc/krb5.keytab
> disable spoolss = Yes
> host msdfs = No
> kerberos method = secrets and keytab
> load printers = No
> local master = No
> log file = /opt/samba/log/%I-%M-%m.log
> map to guest = Bad User
> max log size = 100000
> preferred master = No
> printcap name = /dev/null
> realm = HF3.LOCAL
> security = ADS
> server string = Data %h
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> workgroup = HYPERFILE3
> idmap config hyperfile3 : schema_mode = rfc2307
> idmap config hyperfile3 : range = 10000-20000000
> idmap config hyperfile3 : backend = rid
> idmap config * : schema_mode = rfc2307
> idmap config * : range = 3000-4000
> idmap config * : backend = tdb
> map acl inherit = Yes
> vfs objects = zfsacl
What distro is this ? Freebsd ?
Rowland
More information about the samba
mailing list