stephane.purnelle@corman.be
2004-Jan-09 13:30 UTC
[Samba] samba says "you have right" but I must not have right (Important - SECURITY ISSUE)
My Samba 3.0.1 is configured with LDAP SAM and ACL on XFS filesystem.
For a test, I added my user to the group "cadres". This group is in
ACL
definition of my directory.
# file: Projets
# owner: root
# group: root
user::rwx
user:asi:rwx
group::rwx
group:administrateurs
group:cdir:r-x
group:jardin:r-x
group:cadres:r-x
mask::rwx
other::---
default:user::rwx
default:user:asi:rwx
default:group::rwx
default:group:adminis
default:mask::rwx
default:other::---
In my explorer, the directory Projets appear, the directory is available.
After, I modifed my group "cadres" and I supress my account from
group.
since more than 1 hour, I can see and acces to directory but in unix
console I cannot and I must don't access to this directory.
The only possibility than I have is : "killing my connection with
SWAT"
I looking the source and I think that is the NT_USER_TOKEN information is
not updated after connection or if these informations is updated not
correctly.
I propose that samba refresh correcly these information every five minutes
or a parameter REFRECH_USRE_INFO in smb.conf.
please help me.
St?phane
Samba Administrator.
-----------------------------------
St?phane PURNELLE stephane.purnelle@corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
Andrew Bartlett
2004-Jan-09 21:45 UTC
[Samba] samba says "you have right" but I must not have right (Important - SECURITY ISSUE)
On Fri, Jan 09, 2004 at 02:25:08PM +0100, stephane.purnelle@corman.be wrote:> My Samba 3.0.1 is configured with LDAP SAM and ACL on XFS filesystem. > > For a test, I added my user to the group "cadres". This group is in ACL > definition of my directory. > > # file: Projets > # owner: root > # group: root > user::rwx > user:asi:rwx > group::rwx > group:administrateurs > group:cdir:r-x > group:jardin:r-x > group:cadres:r-x > mask::rwx > other::--- > default:user::rwx > default:user:asi:rwx > default:group::rwx > default:group:adminis > default:mask::rwx > default:other::--- > > In my explorer, the directory Projets appear, the directory is available. > After, I modifed my group "cadres" and I supress my account from group. > > since more than 1 hour, I can see and acces to directory but in unix > console I cannot and I must don't access to this directory. > The only possibility than I have is : "killing my connection with SWAT" > > > I looking the source and I think that is the NT_USER_TOKEN information is > not updated after connection or if these informations is updated not > correctly. > I propose that samba refresh correcly these information every five minutes > or a parameter REFRECH_USRE_INFO in smb.conf.You will find that all Unix, NT and Win2k systems function in this way. A user's group permissions last until they logout. Andrew Bartlett