samba - Feb 2018 - Samba 4.6.2 does not inherit setgid bit (anymore)

thanks for suggestion, in other words you use only ACLs for users 
denying all for groups, unfortunately we had many group such as domain 
users, secretary, finance, etc belonging to users for which we need to 
apply at least 770 in order to gain a simplified permission management 
using groups

the actual dirty workaround I applied was to track new files/dir by 
tailing with follow ( tail -f ) a smbd_audit.log filtered through 
rsyslog for messages generated by samba full_audit configured to listen 
"create_file" event; the problem here is that sometime samba
full_audit
report the event of a file or folder created by the element isn't on the 
disk yet so as security checkpoint I ended to apply a chgrp -R root 
nightly on a daily basis.

all of these problems could easily resolved if there was existed an 
option such as an hypothetical "force item group" that allow me to
force
the group for created item ( note that the current one "force group" 
option not work for me because it apply as an impersonation of a group 
for the authenticated user generating more security problems ).


Lorenzo Delana |
|
On 02/02/2018 17:15, Dale Renton wrote:
>
>     have you found a solution that makes "force directory mode =
2770"
>     able to apply to new created folders ?
>
>
> We have noticed the same thing in CentOS 7. The setgid no longer works 
> like it did before, so now we create our shares like this following 
> the instructions from the wiki.
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>
>
> # chmod 700 /u01/test
> # chown root:root /u01/test
> # setfacl -m group::--- /u01/test
> # setfacl -m default:group::--- /u01/test
> # setfacl -m other::--- /u01/test
> # setfacl -m default:other::--- /u01/test
> # setfacl -m group:unixadmins:rwx /u01/test
> # setfacl -m default:group:unixadmins:rwx /u01/test
>
>
> smb.conf
>
>  [test]
>   comment = test
>   path = /u01/test
>   read only = No
>   inherit acls = yes
>
>
> Dale

Hi Lorenzo and Dale,

My setup is like Lorenzo's completely based on setgid being propagated. 
The filesystem should determine the group used starting at a certain 
directory. Different "root" directories have different groups, and 
security is based on groups, not users.

I tried all sorts of settings combinations, alseo "force directory mode 
= 2770", but none propagates setgid.

The odd thing is that it has worked fine for years on versions below 
4.2.10. Only after udating to 4.6.2 it completely stopped working. I 
wonder if it is a new feature to neglect setgid completely, or that it 
is a bug and that i may expect it working again in future versions.

Kind regards, Vincent


On 02/02/2018 18:04, Lorenzo Delana via samba wrote:
> thanks for suggestion, in other words you use only ACLs for users 
> denying all for groups, unfortunately we had many group such as domain 
> users, secretary, finance, etc belonging to users for which we need to 
> apply at least 770 in order to gain a simplified permission management 
> using groups
>
> the actual dirty workaround I applied was to track new files/dir by 
> tailing with follow ( tail -f ) a smbd_audit.log filtered through 
> rsyslog for messages generated by samba full_audit configured to 
> listen "create_file" event; the problem here is that sometime
samba
> full_audit report the event of a file or folder created by the element 
> isn't on the disk yet so as security checkpoint I ended to apply a 
> chgrp -R root nightly on a daily basis.
>
> all of these problems could easily resolved if there was existed an 
> option such as an hypothetical "force item group" that allow me
to
> force the group for created item ( note that the current one "force 
> group" option not work for me because it apply as an impersonation of 
> a group for the authenticated user generating more security problems ).
>
>
> Lorenzo Delana |
> |
> On 02/02/2018 17:15, Dale Renton wrote:
>>
>>     have you found a solution that makes "force directory mode =
2770"
>>     able to apply to new created folders ?
>>
>>
>> We have noticed the same thing in CentOS 7. The setgid no longer 
>> works like it did before, so now we create our shares like this 
>> following the instructions from the wiki.
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>>
>>
>> # chmod 700 /u01/test
>> # chown root:root /u01/test
>> # setfacl -m group::--- /u01/test
>> # setfacl -m default:group::--- /u01/test
>> # setfacl -m other::--- /u01/test
>> # setfacl -m default:other::--- /u01/test
>> # setfacl -m group:unixadmins:rwx /u01/test
>> # setfacl -m default:group:unixadmins:rwx /u01/test
>>
>>
>> smb.conf
>>
>>  [test]
>>   comment = test
>>   path = /u01/test
>>   read only = No
>>   inherit acls = yes
>>
>>
>> Dale
>

Hi everyone,

Just to share the good news: Since Samba version 4.7.1 came with Centos 
updates, the setgid bit is propagated to new subdirectories again.

Kind regards, Vincent


On 05/02/2018 17:47, Vincent via samba wrote:
> Hi Lorenzo and Dale,
>
> My setup is like Lorenzo's completely based on setgid being 
> propagated. The filesystem should determine the group used starting at 
> a certain directory. Different "root" directories have different 
> groups, and security is based on groups, not users.
>
> I tried all sorts of settings combinations, alseo "force directory 
> mode = 2770", but none propagates setgid.
>
> The odd thing is that it has worked fine for years on versions below 
> 4.2.10. Only after udating to 4.6.2 it completely stopped working. I 
> wonder if it is a new feature to neglect setgid completely, or that it 
> is a bug and that i may expect it working again in future versions.
>
> Kind regards, Vincent
>
>
> On 02/02/2018 18:04, Lorenzo Delana via samba wrote:
>> thanks for suggestion, in other words you use only ACLs for users 
>> denying all for groups, unfortunately we had many group such as 
>> domain users, secretary, finance, etc belonging to users for which we 
>> need to apply at least 770 in order to gain a simplified permission 
>> management using groups
>>
>> the actual dirty workaround I applied was to track new files/dir by 
>> tailing with follow ( tail -f ) a smbd_audit.log filtered through 
>> rsyslog for messages generated by samba full_audit configured to 
>> listen "create_file" event; the problem here is that sometime
samba
>> full_audit report the event of a file or folder created by the 
>> element isn't on the disk yet so as security checkpoint I ended to 
>> apply a chgrp -R root nightly on a daily basis.
>>
>> all of these problems could easily resolved if there was existed an 
>> option such as an hypothetical "force item group" that allow
me to
>> force the group for created item ( note that the current one
"force
>> group" option not work for me because it apply as an impersonation
of
>> a group for the authenticated user generating more security problems ).
>>
>>
>> Lorenzo Delana |
>> |
>> On 02/02/2018 17:15, Dale Renton wrote:
>>>
>>>     have you found a solution that makes "force directory mode
= 2770"
>>>     able to apply to new created folders ?
>>>
>>>
>>> We have noticed the same thing in CentOS 7. The setgid no longer 
>>> works like it did before, so now we create our shares like this 
>>> following the instructions from the wiki.
>>>
>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>>>
>>>
>>> # chmod 700 /u01/test
>>> # chown root:root /u01/test
>>> # setfacl -m group::--- /u01/test
>>> # setfacl -m default:group::--- /u01/test
>>> # setfacl -m other::--- /u01/test
>>> # setfacl -m default:other::--- /u01/test
>>> # setfacl -m group:unixadmins:rwx /u01/test
>>> # setfacl -m default:group:unixadmins:rwx /u01/test
>>>
>>>
>>> smb.conf
>>>
>>>  [test]
>>>   comment = test
>>>   path = /u01/test
>>>   read only = No
>>>   inherit acls = yes
>>>
>>>
>>> Dale
>>
>
>