samba - Mar 2003 - Samba and LinuxMDK 9 file perms oddities?

Hi all

I noticed a pretty strange behaviour regarding file permissions that 
sometimes change without any reason. I need to share the following two 
directories:

    /home/public (owner=root, group=root, perms=0777)
    /home/users (owner=root, group=users, perms=0770)

the /home directory is owned by root, the group is root and permissions 
are set in this way: 0755.
The above dirs are shared using these instructions in smb.conf:

[grp]
    comment = Folder for group [%g]
    path = /home/%g
    guest ok = no
    public = no
    browseable = yes
    writable = yes
    create mask = 0660
    directory mask = 0770

[public]
    comment = Public folder
    path = /home/public
    guest ok = no
    public = no
    browseable = yes
    writable = yes
    create mask = 0666
    directory mask = 0777

When a member of group "users" connects to the [public] or [grp] share
and interacts with them by creating dirs and/or files, something strange 
happens because file permissions change to:

    /home/public (owner=root, group=root, perms=0755)
    /home/users (owner=root, group=users, perms=0750)

In a short words, the write flag disappears. As a result, the next time 
that a user logs in or interacts with shares, he won't be able to write 
files, create dirs, rename them and so on.
I tried to shut down and restart samba to discover if that change is 
caused by the deamon itself and not by the use of the shares but I 
observed that restarting doesn't change file perms. Does anybody know 
the solution?

Thanks :-)

AlF schrieb:
> 
> When a member of group "users" connects to the [public] or [grp]
share
> and interacts with them by creating dirs and/or files, something strange 
> happens because file permissions change to:
> 
>    /home/public (owner=root, group=root, perms=0755)
>    /home/users (owner=root, group=users, perms=0750)
> 
are u using winbind/ACL support?
can u post the [general] section too?

thx k

Kurt Weiss wrote:

[cut]
> i tested the same situation. - without result. %-|
> (samba 2.2.4 / kernel 2.4.10)
>
> *) which version u use?
2.2.6pre2, the one that's delivered in the package 
samba-xxx-2.2.6-1.0.pre2.2mdk,  but I'm going to upgrade in a few days.
The (recompiled) kernel version is 2.4.19
> *) maybe u have running some other software, which is doing this 
> strange thing. (something like disk quota in relation with umask...)
I was just thinking that security level of MDK release could be the 
"culprit" for such a strange behaviour.
I think I have to take a look in /etc/security/msec/security.conf 
(and/or) /var/lib/msec/security.conf  and try to understand
> *) maybe u used /home/public as home directory for an unix/linux user?
no, there's no user that has /home/public as home dir
> *) maybe u have just a third share, which allowes access to /home?
no
> the smb.conf part u sent, seems ok. -
> but if possible send the whole original...
I'll access that machine on tuesday morning so there's some day to wait 
but I decided to test smb.conf with another Linux distribution at home 
in a couple of hours

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Date: Sat, 01 Mar 2003 14:08:23 +0100
> From: AlF <ddkh@libero.it>
> To: samba@lists.samba.org
> Subject: [Samba] Samba and LinuxMDK 9 file perms oddities?
> Message-ID: <3E60B0C7.2090707@libero.it>
> Content-Type: text/plain; charset=us-ascii; format=flowed
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Precedence: list
> Message: 1
>
> Hi all
>
> I noticed a pretty strange behaviour regarding file permissions that
> sometimes change without any reason. I need to share the following two
> directories:
>
>     /home/public (owner=root, group=root, perms=0777)
>     /home/users (owner=root, group=users, perms=0770)
>
> the /home directory is owned by root, the group is root and permissions
> are set in this way: 0755.
> The above dirs are shared using these instructions in smb.conf:
>
> [grp]
>     comment = Folder for group [%g]
>     path = /home/%g
>     guest ok = no
>     public = no
>     browseable = yes
>     writable = yes
>     create mask = 0660
>     directory mask = 0770
>
> [public]
>     comment = Public folder
>     path = /home/public
>     guest ok = no
>     public = no
>     browseable = yes
>     writable = yes
>     create mask = 0666
>     directory mask = 0777
>
> When a member of group "users" connects to the [public] or [grp]
share
> and interacts with them by creating dirs and/or files, something strange
> happens because file permissions change to:
Are you sure it is when a user connects?
>
>     /home/public (owner=root, group=root, perms=0755)
>     /home/users (owner=root, group=users, perms=0750)
>
> In a short words, the write flag disappears. As a result, the next time
> that a user logs in or interacts with shares, he won't be able to write
> files, create dirs, rename them and so on.
> I tried to shut down and restart samba to discover if that change is
> caused by the deamon itself and not by the use of the shares but I
> observed that restarting doesn't change file perms. Does anybody know
> the solution?
What security level are you running?

[bgmilne:/home/users/bgmilne]# cat /etc/sysconfig/msec

If you are running security level 2 or higher, msec will reset
permissions to not be group writeable on directories under /home. So,
you should run draksec to customise this, or not use msec.

[bgmilne:/usr/share/msec]# grep home perm.? |awk '{print $1 "\t" 
$2
"\t" $3}'
perm.0:/home/   root.root       755
perm.0:/home/*  current 755
perm.1:/home/   root.root       755
perm.1:/home/*  current 755
perm.2:/home/   root.root       755
perm.2:/home/*  current 755
perm.3:/home/   root.root       755
perm.3:/home/*  current 711
perm.4:/home/   root.adm        751
perm.4:/home/*  current 700
perm.5:/home/   root.root       711
perm.5:/home/*  current 700

After making your changes in draksec, run:
# msec <security level>
to have msec set the permissions as it thinks they should be, or set
them the way you want them, and run
# msec
to see if it leaves them alone now.

Regards,
Buchan

P.S. I normally search the digests of this list for "mandrake", I
would
not have found your post since I do not search for MDK/mdk/md etc. It is
also a good idea not to abbreviate if you intend other searches (Google
etc) to find your post ...

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+YzMLrJK6UGDSBKcRAstdAJ4sZBbp06bKYnixkWSaKAFPsD+IlgCgyauP
LJIDZHhscR9f7e46Bv3W5SQ=/1Or
-----END PGP SIGNATURE-----