Samba 4.8 (Louis debian repo), DM.
Today i've had to recovery a deleted file in that share, that use
'vfs_recycle' modules:
[Work]
comment = Spazio di Lavoro Utente
map acl inherit = Yes
path = /srv/work
read only = No
store dos attributes = Yes
vfs objects = acl_xattr recycle full_audit
volume = Work
full_audit:failure = none
full_audit:success = mkdir rmdir read pread write pwrite rename unlink
full_audit:prefix = %S|%d|%I|%M|%u
recycle:exclude = *.TMP,*.tmp,*.temp,*.o,*.obj,~$*
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .cestino/%U
but i've misclick on user name, and found that i can read ALL deleted
files of ALL users. ;-(
Looking at file permissions:
root at vdmsv1:~# ls -la /srv/work/.cestino/
totale 12
drwxrwxrwt 107 root domain users 4096 ott 16 14:53 .
drwxr-xr-x 95 root root 4096 apr 5 2019 ..
drwxr-xr-x 4 abarro domain users 61 set 30 11:51 abarro
drwxr-xr-x 3 agnese domain users 40 set 10 16:47 agnese
drwxr-xr-x 5 aleggi domain users 66 set 5 08:53 aleggi
[...]
note that there's no ACL:
root at vdmsv1:~# getfacl /srv/work/.cestino/abarro
getfacl: Removing leading '/' from absolute path names
# file: srv/work/.cestino/abarro
# owner: abarro
# group: domain\040users
user::rwx
group::r-x
other::r-x
I've also tried to add to share definition:
recycle:subdir_mode = 0700
recycle:directory_mode = 0700
(that the manpage say they are the default), but nothing changed.
I've hit a bug?
If i've not misconfigured something security implication of this
behaviour are serious...
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hai Marco, Can you check this acl and attr are these installed? type acl type attr Or just run : apt-get install -y acl attr Try this : chmod 1770 /srv/work/.cestino/ Which sets : "creator Owner" (1), Owner (7), Group (7), World (0) So the owner and groups can create anything but your enforcing "creator owner" Then set: recycle:subdir_mode = 1700 recycle:directory_mode = 1700 I've not fully checked it, im to buzy with my builder atm. But im sure its something like that. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: woensdag 16 oktober 2019 15:14 > Aan: samba at lists.samba.org > Onderwerp: [Samba] vfs_recycle permission bug?! > > > Samba 4.8 (Louis debian repo), DM. > > > Today i've had to recovery a deleted file in that share, that use > 'vfs_recycle' modules: > > [Work] > comment = Spazio di Lavoro Utente > map acl inherit = Yes > path = /srv/work > read only = No > store dos attributes = Yes > vfs objects = acl_xattr recycle full_audit > volume = Work > full_audit:failure = none > full_audit:success = mkdir rmdir read pread write > pwrite rename unlink > full_audit:prefix = %S|%d|%I|%M|%u > recycle:exclude = *.TMP,*.tmp,*.temp,*.o,*.obj,~$* > recycle:versions = yes > recycle:keeptree = yes > recycle:repository = .cestino/%U > > but i've misclick on user name, and found that i can read ALL deleted > files of ALL users. ;-( > > Looking at file permissions: > > root at vdmsv1:~# ls -la /srv/work/.cestino/ > totale 12 > drwxrwxrwt 107 root domain users 4096 > ott 16 14:53 . > drwxr-xr-x 95 root root 4096 > apr 5 2019 .. > drwxr-xr-x 4 abarro domain users 61 > set 30 11:51 abarro > drwxr-xr-x 3 agnese domain users 40 > set 10 16:47 agnese > drwxr-xr-x 5 aleggi domain users 66 > set 5 08:53 aleggi > [...] > > note that there's no ACL: > > root at vdmsv1:~# getfacl /srv/work/.cestino/abarro > getfacl: Removing leading '/' from absolute path names > # file: srv/work/.cestino/abarro > # owner: abarro > # group: domain\040users > user::rwx > group::r-x > other::r-x > > I've also tried to add to share definition: > > recycle:subdir_mode = 0700 > recycle:directory_mode = 0700 > > (that the manpage say they are the default), but nothing changed. > > > I've hit a bug? > > > If i've not misconfigured something security implication of this > behaviour are serious... > > > Thanks. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bont?, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> Can you check this acl and attr are these installed?Sure! They are installed! root at vdmsv1:~# dpkg -l | egrep "a(cl|ttr)" ii acl 2.2.52-3+b1 amd64 Access control list utilities ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes [...]> chmod 1770 /srv/work/.cestino/it was 1777, now done.> Then set: > recycle:subdir_mode = 1700 > recycle:directory_mode = 1700done. done also a 'systemctl reload smbd.service' and killed active connection. Removed '/srv/work/.cestino/gaio': rm -r /srv/work/.cestino/gaio> I've not fully checked it, im to buzy with my builder atm. > But im sure its something like that.No, same result: root at vdmsv1:/srv/work/.cestino# ls -la gaio/ totale 8 drwxr-xr-x 3 gaio domain users 16 ott 16 18:17 . drwxrwx--T 107 root domain users 4096 ott 16 18:17 .. [...] -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> But im sure its something like that.Oh, very interesting... save server, different share, different FS (gluster) defined as: [FVG] comment = Regionale (FVG) kernel share modes = No map acl inherit = Yes path = / read only = No store dos attributes = Yes vfs objects = acl_xattr recycle full_audit glusterfs volume = FVG full_audit:failure = none full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:prefix = %S|%d|%I|%M|%u recycle:exclude = *.TMP,*.tmp,*.temp,*.o,*.obj,~$* recycle:versions = yes recycle:keeptree = yes recycle:repository = .cestino/%U glusterfs:volume = gv0 work as expected: root at vdmsv1:/srv/work/.cestino# ls -la /srv/fvg/.cestino/ totale 20 drwxrwxrwt 5 root root 4096 mag 29 14:02 . drwxr-xr-x 6 root root 4096 set 29 06:48 .. drwxr-xr-x 3 gaio domain users 4096 mar 8 2018 gaio drwx------ 3 rossella domain users 4096 mag 29 14:03 rossella drwx------ 3 stefano domain users 4096 lug 17 2018 stefano GlusterFS 'gv0' is mounted locally into /srv/fvg for backup purpose, but i've tried also samba access (eg, explorer on windows) and i've no access to non-mine folder (as expected). Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> I've hit a bug?In absence of more feedback in list, i've fired up a bug. https://bugzilla.samba.org/show_bug.cgi?id=14167 -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)