thr3ads.net - samba - [Samba] Bizarre - How did windows user setfacl for a file?? [Nov 2008]

If this information is useful, please help other people find it:
Share via:

David C. Rankin

2008-Nov-12 07:46 UTC

[Samba] Bizarre - How did windows user setfacl for a file??

Listmates,

	In 8 years, since 2.02 (I think), I have never seen this behavior out of
samba. I run a stand-alone server with WinXP clients. Somehow a legal assistant
created (not intentionally mind you) files and directories with ACL attributes
set:

-rwxrwx---+ 1 cyndy ochiltree 21504 2008-10-28 16:48 AUTHORIZATION -
employment.doc*
-rwxrwx---+ 1 cyndy ochiltree 12804 2008-10-28 16:48 AUTHORIZATION -
employment.pdf*
drwxrwx---+ 2 cyndy ochiltree  4096 2008-10-29 16:56 Gregg, Joy/
-rwxrwx---+ 1 cyndy ochiltree 44544 2008-10-28 16:32 POA - BG Contingency
New.doc*
-rwxrwx---+ 1 cyndy ochiltree 48309 2008-10-28 16:31 POA - BG Contingency
New.pdf*
drwxrwx---+ 2 cyndy ochiltree  4096 2008-10-29 16:51 Roper, Buddy/

	What in the heck? I found the setfacl --remove-all
command that gets rid of this, but I'm still left wondering WTF happened in
the
first place? Moreover, how do I configure samba to make sure this never happens
again? My config is:

[global]
  use sendfile = No
  workgroup = rb_law
  server string = Samba Server %v
  printcap name = cups
  load printers = yes
  printing = cups
  show add printer wizard = No
  disable spoolss = yes
  log file = /var/log/samba/log.%m
  max log size = 500
  smb ports = 139
  log level = 1
  time server = yes
  hosts allow = 192.168.7. 192.168.8. 127. 66.76.63.120
  map to guest = bad user
  security = user
  encrypt passwords = yes
  smb passwd file = /etc/samba/smbpasswd
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   local master = yes
  os level = 80
  domain master = yes
  preferred master = yes
  name resolve order = wins lmhosts bcast
  wins support = yes
   dns proxy = no
[samba]
        comment = Base Samba Share
        path = /home/samba
        valid users = @ochiltree
        force group = ochiltree
        admin users = david
        browseable = Yes
        writeable = Yes
        force create mode = 0770
        force directory mode = 0770

	What do I need to change? Thanks for any help you can give.


-- 
David C. Rankin, J.D., P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com

Dennis Clarke

2008-Nov-12 16:04 UTC

head link

[Samba] Bizarre - How did windows user setfacl for a file??

> Listmates,
>
> In 8 years, since 2.02 (I think), I have never seen this ...
You never know, this may be a desired feature.

The question is, why is this a bad thing? I am not much of a Windows user
and thus I really have to wonder why the ACL's create an issue.  This is
just a question from me to get some insight into the implications of ACL's
delivered to the world via Samba.  Also, you did not tell us if the
underlying fs was ext3fs or ufs or zfs or what.

Dennis

Greg Byshenk

2008-Nov-13 15:41 UTC

head link

[Samba] Bizarre - How did windows user setfacl for a file??

On Wed, Nov 12, 2008 at 01:46:45AM -0600, David C. Rankin wrote:
 > 	In 8 years, since 2.02 (I think), I have never seen this behavior out of
> samba. I run a stand-alone server with WinXP clients. Somehow a legal
assistant
> created (not intentionally mind you) files and directories with ACL
attributes set:
> 
> -rwxrwx---+ 1 cyndy ochiltree 21504 2008-10-28 16:48 AUTHORIZATION -
> employment.doc*
> -rwxrwx---+ 1 cyndy ochiltree 12804 2008-10-28 16:48 AUTHORIZATION -
> employment.pdf*
> drwxrwx---+ 2 cyndy ochiltree  4096 2008-10-29 16:56 Gregg, Joy/
> -rwxrwx---+ 1 cyndy ochiltree 44544 2008-10-28 16:32 POA - BG Contingency
New.doc*
> -rwxrwx---+ 1 cyndy ochiltree 48309 2008-10-28 16:31 POA - BG Contingency
New.pdf*
> drwxrwx---+ 2 cyndy ochiltree  4096 2008-10-29 16:51 Roper, Buddy/
> 
> 	What in the heck? I found the setfacl --remove-all
> command that gets rid of this, but I'm still left wondering WTF
happened in the
> first place? Moreover, how do I configure samba to make sure this never
happens
> again? My config is: [...]

I'm not sure for exactly how long, but Samba has supported extended ACLs
for quite some time (if the underlying OS/filesystem has such support).

To ensure that it is not there, you can either a) build samba without
acl support; or b) disable extended ACLs on the filesystem.

As for why it changed for you, I notice that the default configuration
is now (for Samba-3.2.4, at least)

   --with-acl-support      Include ACL support (default=auto)

... which I believe means that it will build in ACL support if the 
system has it.  Perhaps this has changed recently?


-- 
greg byshenk  -  gbyshenk@byshenk.net  -  Leiden, NL

Possibly Parallel Threads

Search for more reasonably related threads

samba - Nov 2008 - Bizarre - How did windows user setfacl for a file??

[Samba] Bizarre - How did windows user setfacl for a file??

[Samba] Bizarre - How did windows user setfacl for a file??

[Samba] Bizarre - How did windows user setfacl for a file??

Possibly Parallel Threads