Chad William Seys
2016-May-11 01:38 UTC
[Samba] access to files continues after removing user from group
Hello all, I've noticed that removing a user from a group in /etc/group does not immediately prevent the user from accessing files / directories which the group still has access to. For example, say user 'cwseyst2' only has access to access to 'plc' if it is in group 'plc-staff'. # getfacl plc # file: plc # owner: smbadmin # group: smbadmin user::rwx group::rwx group:plc-staff:rwx group:wheel:rwx mask::rwx other::--- default:user::rwx default:group::r-x default:group:plc-staff:rwx default:group:wheel:rwx default:mask::rwx default:other::--- If plc-group starts off without cwseyst2, then as expected cwseyst2 cannot access. Then I add cwseyst2 to plc-staff by editing /etc/group and as expected access is possible. The surprise comes in when I remove cwseyst2 from plc-staff by editing /etc/group . cwseyst2 can continue accessing plc! It can create files! cwseyst2 only looses access when smbd is restarted. (Or the smbd process acting for cwseyst2 is killed and respawned.) It seems as though the smbd process which is acting for cwseyst2 is running as root and can access the files as root instead of cwseyst2. The computer does not have nscd. Does samba not drop privileges aggressively enough? Have I set up samba wrong? Thanks! Chad.
Reindl Harald
2016-May-11 09:15 UTC
[Samba] access to files continues after removing user from group
Am 11.05.2016 um 03:38 schrieb Chad William Seys:> cwseyst2 only looses access when smbd is restarted. (Or the smbd process > acting for cwseyst2 is killed and respawned.) It seems as though the smbd > process which is acting for cwseyst2 is running as root and can access the > files as root instead of cwseyst2. > > The computer does not have nscd. > > Does samba not drop privileges aggressively enough?looks so because most of the time smbd processes are running as root and only when filetransfers are happening they switch to the connected user (while i have no idea how it is possible at all to become root again after priviliges where dropped) none of these processes should run as root after the user authenticated root 2122 0.0 0.2 436392 15224 ? SN 06:15 0:00 /usr/sbin/smbd -D root 4897 0.0 0.0 426784 5056 ? SNs Mai03 0:03 /usr/sbin/smbd -D root 4898 0.0 0.0 422904 1792 ? SN Mai03 0:00 /usr/sbin/smbd -D root 4899 0.0 0.0 426848 3712 ? SN Mai03 0:01 /usr/sbin/smbd -D netatalk has the more sane behavior here - the spawned process of the user is *always* running as the user and never as root -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160511/c0db2934/signature.sig>
Jeremy Allison
2016-May-11 09:19 UTC
[Samba] access to files continues after removing user from group
On Tue, May 10, 2016 at 08:38:22PM -0500, Chad William Seys wrote:> Hello all, > I've noticed that removing a user from a group in /etc/group does not > immediately prevent the user from accessing files / directories which the > group > still has access to. > For example, say user 'cwseyst2' only has access to access to 'plc' if it > is in group 'plc-staff'. > # getfacl plc > # file: plc > # owner: smbadmin > # group: smbadmin > user::rwx > group::rwx > group:plc-staff:rwx > group:wheel:rwx > mask::rwx > other::--- > default:user::rwx > default:group::r-x > default:group:plc-staff:rwx > default:group:wheel:rwx > default:mask::rwx > default:other::--- > > If plc-group starts off without cwseyst2, then as expected cwseyst2 cannot > access. > > Then I add cwseyst2 to plc-staff by editing /etc/group and as expected access > is possible. > > The surprise comes in when I remove cwseyst2 from plc-staff by editing > /etc/group . cwseyst2 can continue accessing plc! It can create files! > > cwseyst2 only looses access when smbd is restarted. (Or the smbd process > acting for cwseyst2 is killed and respawned.) It seems as though the smbd > process which is acting for cwseyst2 is running as root and can access the > files as root instead of cwseyst2. > > The computer does not have nscd. > > Does samba not drop privileges aggressively enough? Have I set up samba > wrong?Logged in tokens with group lists don't dynamically change to reflect changes in the group database. The token (user id and group list) is created at login time, and will remain the same whilst that user is connected.
Chad William Seys
2016-May-11 14:54 UTC
[Samba] access to files continues after removing user from group
Hi Jeremy,> Logged in tokens with group lists don't dynamically > change to reflect changes in the group database. > The token (user id and group list) is created > at login time, and will remain the same whilst > that user is connected.Thanks for the explanation. It seems like the token should be used to determine "who" the process is, while their username and groups they belong to compared against the filesystem ACL "what" they can access. Shouldn't Samba be checking the filesystem ACL and the user/group membership every time a file/dir are accessed? The kernel should do this for Samba if Samba always dropped privileges to access files, right? Seems like a security bug waiting to happen not to do this. Chad.