samba - Dec 2014 - Does Samba 4 actually respect Unix file acls?

Hello,

After researching the subject on the internet I concluded that Samba should take
into account Unix file acls. During my tests I found the opposite. Only Unix
file mode bits are respected, and file acls are ignored. If my initial
assumption is correct and Samba do respect Unix file acls, then I am doing
something wrong. Please see the setup below and point to what I am doing wrong.

Distribution and Samba version in use: Centos Linux 7; Samba 4.1.1

##### Server

# Create Linux users
useradd alice
useradd bob

# Create a directory to be shared; set ro permissions for alice using \
# file mode bits and rw permissions for bob using file acls
mkdir /home/smbshare
chown alice:alice /home/smbshare
chmod 0500 /home/smbshare
setfacl -m u:bob:rwx /home/smbshare
setfacl -m m:rwx /home/smbshare

# Create a file for testing purposes
echo 'Hello world!' > /home/smbshare/test.txt

# Add users to Samba database
pdbedit -a -u alice
pdbedit -a -u bob

# Define share in smb.conf and restart the smb daemon
vim /etc/samba/smb.conf
    comment = smbshare for alice(ro) and bob(rw)
    path = /home/smbshare
    browseable = yes
    writeable = yes
    valid users = alice bob

systemctl reload smb

# Set the SELinux permissions and open samba on firewall
chcon -R -t samba_share_t /home/smbshare

firewall-cmd --add-service=samba --permanent
firewall-cmd --reload


##### Client

# Create Linux users
useradd alice
useradd bob

# Mount the remote Samba share
mkdir /mnt/smbshare
mount -t cifs -o username=alice,password=pass //192.168.1.112/smbshare
/mnt/smbshare

# Now test the permissions 
su - alice
cd /mnt/smbshare
cat test.txt        # shows the contents of test.txt, as expected
echo 'I am alice' > test2.txt   # permission denied, as expected
exit

su - bob
cd /mnt/smbshare    # permission denied -- ???? NOT AS EXPECTED
exit

# I think it doesn't matter under which user to mount, but just to be sure \
# I tried to mount using bob's credentials
umount /mnt/smbshare
mount -t cifs -o username=bob,password=pass //192.168.1.112/smbshare
/mnt/smbshare

# After checking actual permissions I got the same results as above: \
# alice have read-only permissions (as expected), bob have no access (NOT as
expected)

--
Best regards,
Rufe

On Fri, Dec 19, 2014 at 12:47:51PM -0500, Rufe Glick
wrote:
> Hello,
> 
> After researching the subject on the internet I concluded that Samba should
take into account Unix file acls. During my tests I found the opposite. Only
Unix file mode bits are respected, and file acls are ignored. If my initial
assumption is correct and Samba do respect Unix file acls, then I am doing
something wrong. Please see the setup below and point to what I am doing wrong.
> 
> Distribution and Samba version in use: Centos Linux 7; Samba 4.1.1
> 
> ##### Server
> 
> # Create Linux users
> useradd alice
> useradd bob
> 
> # Create a directory to be shared; set ro permissions for alice using \
> # file mode bits and rw permissions for bob using file acls
> mkdir /home/smbshare
> chown alice:alice /home/smbshare
> chmod 0500 /home/smbshare
> setfacl -m u:bob:rwx /home/smbshare
> setfacl -m m:rwx /home/smbshare
> 
> # Create a file for testing purposes
> echo 'Hello world!' > /home/smbshare/test.txt
> 
> # Add users to Samba database
> pdbedit -a -u alice
> pdbedit -a -u bob
> 
> # Define share in smb.conf and restart the smb daemon
> vim /etc/samba/smb.conf
>     comment = smbshare for alice(ro) and bob(rw)
>     path = /home/smbshare
>     browseable = yes
>     writeable = yes
>     valid users = alice bob
> 
> systemctl reload smb
> 
> # Set the SELinux permissions and open samba on firewall
> chcon -R -t samba_share_t /home/smbshare
> 
> firewall-cmd --add-service=samba --permanent
> firewall-cmd --reload
> 
> 
> ##### Client
> 
> # Create Linux users
> useradd alice
> useradd bob
Do alice and bob have the same user ids on client
and server ?

Hello Jeremy,

Friday, December 19, 2014, 3:48:51 PM, you wrote:
> On Fri, Dec 19, 2014 at 12:47:51PM -0500, Rufe Glick wrote:
>> Hello,
>> After researching the subject on the internet I concluded that Samba
should take into account Unix file acls. During my tests I found the opposite.
Only Unix file mode bits are respected, and file acls are ignored. If my initial
assumption is correct and Samba do respect Unix file acls, then I am doing
something wrong. Please see the setup below and point to what I am doing wrong.
>> Distribution and Samba version in use: Centos Linux 7; Samba 4.1.1
>> ##### Server
>> # Create Linux users
>> useradd alice
>> useradd bob
>> # Create a directory to be shared; set ro permissions for alice using \
>> # file mode bits and rw permissions for bob using file acls
>> mkdir /home/smbshare
>> chown alice:alice /home/smbshare
>> chmod 0500 /home/smbshare
>> setfacl -m u:bob:rwx /home/smbshare
>> setfacl -m m:rwx /home/smbshare
>> # Create a file for testing purposes
>> echo 'Hello world!' > /home/smbshare/test.txt
>> # Add users to Samba database
>> pdbedit -a -u alice
>> pdbedit -a -u bob
>> # Define share in smb.conf and restart the smb daemon
>> vim /etc/samba/smb.conf
>>     comment = smbshare for alice(ro) and bob(rw)
>>     path = /home/smbshare
>>     browseable = yes
>>     writeable = yes
>>     valid users = alice bob
>> systemctl reload smb
>> # Set the SELinux permissions and open samba on firewall
>> chcon -R -t samba_share_t /home/smbshare
>> firewall-cmd --add-service=samba --permanent
>> firewall-cmd --reload
>> ##### Client
>> # Create Linux users
>> useradd alice
>> useradd bob
> Do alice and bob have the same user ids on client
> and server ?
Yes, the uids and gids are identical on both server and client machines.

On Fri, Dec 19, 2014 at 12:47 PM, Rufe Glick <rufe.glick at gmail.com>
wrote:
> Hello,
>
> After researching the subject on the internet I concluded that Samba should
take into account Unix file acls. During my tests I found the opposite. Only
Unix file mode bits are respected, and file acls are ignored. If my initial
assumption is correct and Samba do respect Unix file acls, then I am doing
something wrong. Please see the setup below and point to what I am doing wrong.
I'm sorry, but exactly which set of "file acl's" are you
referring to?
NFS v4, prehaps or Linux availaility? CIFS ACL's? Because I've got to
warn you, I pursued getting NFS, and CIFS clients to work well with
Samba and Netapps, with Linux and Windows clients, and it was a
clusterfutz to manage. RHEL didn't include decent GUI's to manage
NFSv4 ACL's, the are profound hierarchy differences between CIFS and
NFSv4, and the edge cases were nightmarish.

Frankly, for most environments, the POSIX permissions are not only
vastly simpler, but the software compatibly is so much simpler as to
help make the code more stable and thus safer. I remember even Jeremy
Allison referring to the NFSv4 code in Samba as spaghetti code.
> Distribution and Samba version in use: Centos Linux 7; Samba 4.1.1
OK, right htere you've bot a problem. Samba is up to version 4.1.14,
even though RHEL and thus CentOS have never included a significant
version update since 4.1.1.

If you feel the need, feel free to work with my tools at
https://github.com/nkadel/samba4repo to get up to samba-4.1.14 or
work with ther serfnet repo. I use the build options to include the
internal Heimdal version of Kerberos, and thus include full samba-dc
packages. You might enjoy them, and I'd personally appreciate CentOS 7
testing. I'm working primarily with CentOS 6 right now, and haven't
really tested it out iin CentOS 7.

> ##### Server
>
> # Create Linux users
> useradd alice
> useradd bob
>
> # Create a directory to be shared; set ro permissions for alice using \
> # file mode bits and rw permissions for bob using file acls
> mkdir /home/smbshare
> chown alice:alice /home/smbshare
> chmod 0500 /home/smbshare
You really want  2770 for POSIX permission support. I think it's just
going to Work Much Better For You(tm).

Also, if you keep in mind that it POSIX permissions are a form of
ACL,, and tools like the CIFS protocols and NFSv4 have their own
protocols, and these are also inherent *to the  underlying file
system*, you'll be able to understand better that Samba is limited by
the underlying file system.
> setfacl -m u:bob:rwx /home/smbshare
> setfacl -m m:rwx /home/smbshare
>
> # Create a file for testing purposes
> echo 'Hello world!' > /home/smbshare/test.txt
>
> # Add users to Samba database
> pdbedit -a -u alice
> pdbedit -a -u bob
>
> # Define share in smb.conf and restart the smb daemon
> vim /etc/samba/smb.conf
>     comment = smbshare for alice(ro) and bob(rw)
>     path = /home/smbshare
>     browseable = yes
>     writeable = yes
>     valid users = alice bob
>
> systemctl reload smb
>
> # Set the SELinux permissions and open samba on firewall
> chcon -R -t samba_share_t /home/smbshare
>
> firewall-cmd --add-service=samba --permanent
> firewall-cmd --reload
SELinux has to live on top of of, and add restrictions on top of, the
underlying file system. If the underlying file system blocks access,
such as you're seeing with local file system, and POSIX, you're going
to be SOL for other more sophisticated ACL's.

If I may sugest, don't try get too clever with this. Use the POSIX,
and review how you can use simple POSIX groups instead of getting cute
with this. This will allow simple UNIX tools like "tar"  to work well,
without having to remember to use "star" to get the extra SELinux
permissions.
> ##### Client
>
> # Create Linux users
> useradd alice
> useradd bob
>
> # Mount the remote Samba share
> mkdir /mnt/smbshare
> mount -t cifs -o username=alice,password=pass //192.168.1.112/smbshare
/mnt/smbshare
>
> # Now test the permissions
> su - alice
> cd /mnt/smbshare
> cat test.txt        # shows the contents of test.txt, as expected
> echo 'I am alice' > test2.txt   # permission denied, as expected
> exit
>
> su - bob
> cd /mnt/smbshare    # permission denied -- ???? NOT AS EXPECTED
> exit
>
> # I think it doesn't matter under which user to mount, but just to be
sure \
> # I tried to mount using bob's credentials
> umount /mnt/smbshare
> mount -t cifs -o username=bob,password=pass //192.168.1.112/smbshare
/mnt/smbshare
>
> # After checking actual permissions I got the same results as above: \
> # alice have read-only permissions (as expected), bob have no access (NOT
as expected)
>
> --
> Best regards,
> Rufe
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba