smbd: Broken access to share

Купчук Михаил Георгиевич MKupchuk at inno.tech
Fri Feb 16 11:14:21 UTC 2024 

Hello Björn,

Thank you for pointing that out. But our problem still exists with latest sources from master.
While investigating the problem, I did not rollback exactly that commit, but I did checkout 12734848dc9901b932644139aaa7e3f78e55c8dc (commit prior to 0e3836e3961f2b7c39173ce1023d3c92addef630) and problem disappeared.
So, I decided that the problem is only in 0e3836e3961f2b7c39173ce1023d3c92addef630.
But as appears, the problem is not only in that one commit, but in several commits in "prefer capabilities over become_root" set.
When I apply a patch like this to latest sources:

diff --git a/source3/lib/system.c b/source3/lib/system.c
index bdaa723fd3..4ad26524de 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -643,7 +643,7 @@ static bool set_process_capability(enum smbd_capability capability,
  Gain the oplock capability from the kernel if possible.
 ****************************************************************************/

-#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE)
+#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE) && defined(CAP_DAC_OVERRIDE_FIXED)
 static bool have_cap_dac_override = true;
 #else
 static bool have_cap_dac_override = false;

which in fact disables all that "prefer capabilities over become_root" commits set,
Our problem goes away and everything works again.


Best wishes,
Michael

-----Original Message-----
From: Björn Baumbach <bb at sernet.de> 
Sent: Thursday, February 15, 2024 10:27 PM
To: Купчук Михаил Георгиевич <MKupchuk at inno.tech>; samba-technical at lists.samba.org
Subject: Re: smbd: Broken access to share



Hi Michael,

On 2/15/24 17:26, Купчук Михаил Георгиевич via samba-technical wrote:
> Found out that this patch https://gitlab.com/samba-team/samba/-/commit/0e3836e3961f2b7c39173ce1023d3c92addef630 broke access to sysvol for "Domain Admins" group members.

this patch has been reverted, already:
https://gitlab.com/samba-team/samba/-/commit/697d41420b4f4830396acfbc96bd1f1c1f0531f4

Best regards,
Björn

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: 0551-370000-0, mailto:kontakt at sernet.de
Gesch.F.: Dr. Johannes Loxen und Reinhild Jung AG Göttingen: HR-B 2816 - http://www.sernet.de
Datenschutz: https://www.sernet.de/datenschutz

More information about the samba-technical mailing list