Akash Jain
2018-Feb-01 05:20 UTC
[Samba] Reload config with SIGHUP does not immediately revoke access to host removed from hosts allow
Hello All My samba-4.x server has lot of registry shares added. There are windows clients connected to it and I wanted to remove the access to one of the hosts. I did net conf setparm to set the updated list of IPs in "hosts allow" param and then reloaded samba config with killall -1 smbd . I see that the host which is not part of the hosts allow but already have a open window in Windows Explorer still continues to get the access for good amount of time which is a security flaw. I see that the smbd process serving that host (which we see in smbstatus command) received the reload config with and logs show that it reads the latest configuration for that registry share, but we do not see the effect immediately. Any idea why is it happening so? Is it a known behaviour or known issue? Thanks, Akash
L A Walsh
2018-Feb-01 05:45 UTC
[Samba] Reload config with SIGHUP does not immediately revoke access to host removed from hosts allow
Akash Jain via samba wrote:> Hello All > > My samba-4.x server has lot of registry shares added. There are windows > clients connected to it and I wanted to remove the access to one of the > hosts. >---- Just a guess, but since cifs/samba uses 'tcp' for client<->server connections. The hosts.allow/deny mechanism does its access checking when a new connection is attempted. Since the clients were already connected, there was no new check for those clients already connected.> I did net conf setparm to set the updated list of IPs in "hosts allow" > param and then reloaded samba config with killall -1 smbd . > > I see that the host which is not part of the hosts allow but already have a > open window in Windows Explorer still continues to get the access for good > amount of time which is a security flaw. >--- You could say that, but would you really want access checking done for every byte you read or write on a file? Worse, the access checking involves many trips over the network. On *nix systems, once you have a file descriptor open -- you have a handle to anything accessible with that descriptor. In the case of Windows -- an entire windows session is funneled through 1 TCP connection between each server and client. That limitation (1 connection between client and server) also is a limiting factor in file transfers, since multiple CPU's and multiple connections that might enable significantly faster performance through parallel connections aren't easily done. Only in cifs 3.x (not sure the sub-num) has MS realized this and started trying to allow some work to be done in additional streams. To enforce your rules, you must make sure clients are disconnected from the server so they have to go through the initial access checking in the hosts.xxx files. -linda
Andrew Bartlett
2018-Feb-01 06:39 UTC
[Samba] Reload config with SIGHUP does not immediately revoke access to host removed from hosts allow
On Thu, 2018-02-01 at 10:50 +0530, Akash Jain via samba wrote:> Hello All > > My samba-4.x server has lot of registry shares added. There are windows > clients connected to it and I wanted to remove the access to one of the > hosts. > > I did net conf setparm to set the updated list of IPs in "hosts allow" > param and then reloaded samba config with killall -1 smbd .> I see that the host which is not part of the hosts allow but already have a > open window in Windows Explorer still continues to get the access for good > amount of time which is a security flaw. > > I see that the smbd process serving that host (which we see in smbstatus > command) received the reload config with and logs show that it reads the > latest configuration for that registry share, but we do not see the effect > immediately. > > Any idea why is it happening so? Is it a known behaviour or known issue?To disconnect a client, see smbcontrol kill-client-ip. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Seemingly Similar Threads
- Intermittent failure of net ads join command with error "The transport connection is now disconnected"
- Intermittent failure of net ads join command with error "The transport connection is now disconnected"
- Operation Not Supported error for GETXATTR when VFS plugin "nfs4acl_xattr" is used
- Samba permission changes are not applied to active connections
- Operation Not Supported error for GETXATTR when VFS plugin "nfs4acl_xattr" is used