suresh.kandukuru at emc.com
2010-Oct-14 04:54 UTC
[Samba] Restricting samba subfolder acl changes to admin users
Dear samba team, What I noticed from the below example is , any user who has write access to share are able to change sub folder acls in it. we don't want that. how to restrict this to only admin users in NAS and to AD administrator in windows. ?. Please help . ---------------- 1) Import user from W2K3 R2 Server and set up a secure share. User has Read/Write access. 2) Create sub-folder and set Read . 3) Log in as user on Windows 7 workstation using AD users credentials. 4) Map to share and write files to share - OK as expected. 5) Change directory to sub-folder and write files to sub-folder - write denied as expected. 6) As AD user right click on sub-folder and enter properties, security. Attempt to change R/O rights. Successfully changed - Not expected behavior, only Administrator of NAS, Administrator of AD or member of AD Admin group should be able to change rights on secure sub-folders. ----------------- Thanks Suresh
Volker Lendecke
2010-Oct-14 06:25 UTC
[Samba] Restricting samba subfolder acl changes to admin users
On Thu, Oct 14, 2010 at 12:54:59AM -0400, suresh.kandukuru at emc.com wrote:> What I noticed from the below example is , any user who > has write access to share are able to change sub folder > acls in it. we don't want that. how to restrict this to > only admin users in NAS and to AD administrator in > windows. ?. > > Please help . > > ---------------- > > 1) Import user from W2K3 R2 Server and set up a secure share. User has Read/Write access. > > 2) Create sub-folder and set Read . > > 3) Log in as user on Windows 7 workstation using AD users credentials. > > 4) Map to share and write files to share - OK as expected. > > 5) Change directory to sub-folder and write files to sub-folder - write denied as expected. > > 6) As AD user right click on sub-folder and enter properties, security. Attempt to change R/O rights. Successfully changed - Not expected behavior, only Administrator of NAS, Administrator of AD or member of AD Admin group should be able to change rights on secure sub-folders.Assuming you're using pure posix ACLs, this is expected behaviour. It is an artifact of Samba mapping Posix ACLs to Windows ACLs, not enforcing additional restrictions on top of it. Posix allows the owner of a directory to change its ACL, probably this is what you see here. Volker
suresh.kandukuru at emc.com
2010-Oct-15 13:28 UTC
[Samba] Restricting samba subfolder acl changes to admin users
Volker I will send the log, why it does not matter here if user1 is owner of the subfolder and has read only access on it?. my Q is though user1 has read only access on subfolder "testsubfldr", he is able to change it to the write , since user1 has write access on the share. cannot samba disallow acl changes on the subfolder "testsufldr" for the user user1 since has read access for it , though he has write access on the share?. Thanks Suresh -----Original Message----- From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] Sent: Friday, October 15, 2010 4:51 PM To: Kandukuru, Suresh Cc: samba at lists.samba.org; jra at samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Fri, Oct 15, 2010 at 07:09:02AM -0400, suresh.kandukuru at emc.com wrote:> once final Q is ,I have admin user in NAS . for a share > "test" , he has given write access to user "user1 " and > read access for a subfolder -> "testsubdir" in share > "test" . > when user1 logged into share "test", he could not write > into "testsubdir". obviously it is because he has read > access on the folder an most restrictive access will be > effective. > > and the problem is since the user1 has write access to > share , he is able to change the read access on the sub > folder by himself. why samba is allowing this ? since > effectively user1 has read access on the sub folder > "testsubdir" it should deny acl changes on that right?.Who is the file owner of "testsubdir"? You can find out who is the owner with the command "ls -ld testsubdir". If user1 is the owner, then it does not matter if user1 has only read access. If user1 is not the owner, then we might have a bug in Samba. Please send us your smb.conf configuration file and a debug level 10 log of the smbd allowing this operation. Thanks in advance, Volker Lendecke
suresh.kandukuru at emc.com
2010-Oct-19 13:19 UTC
[Samba] Restricting samba subfolder acl changes to admin users
Jeremy did you get a chance to look at this . can you please pass your comments on this.? Thanks Suresh -----Original Message----- From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] Sent: Monday, October 18, 2010 1:16 PM To: Kandukuru, Suresh Cc: jra at samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kandukuru at emc.com wrote:> Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. > so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. > > here is is my test. > > 1) created share "test" , given write access to it for "admin", "user1" users. > > 2) connected to share with admin user and created sub folder "test_subfldr" in it. and given read access to user1 user > . > output of getfacl > ------------ > root at storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ > # file: test_subfldr/ > # owner: admin > # group: users > user::rwx > user:user1:r-x > group::rwx > mask::rwx > other::rwx > default:user::rwx > default:user:user1:r-x > default:group::--- > default:mask::rwx > default:other::--- > > root at storage:/mnt/soho_storage/samba/shares/SP0/test# > ------------------ > 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . > why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr.This might actually be a bug. Maybe Samba believes the user has write permissions due to the group having the w permission? Which group is the user member of? Jeremy, can this be a mis-mapping of Posix permissions to NTFS ACLs in the "dos filemode" permission check? Volker
suresh.kandukuru at emc.com
2010-Oct-24 09:10 UTC
[Samba] Restricting samba subfolder acl changes to admin users
Just a reminder. -----Original Message----- From: Kandukuru, Suresh Sent: Tuesday, October 19, 2010 6:49 PM To: 'jra at samba.org'; 'samba at lists.samba.org' Cc: 'Volker.Lendecke at SerNet.DE' Subject: RE: [Samba] Restricting samba subfolder acl changes to admin users Jeremy did you get a chance to look at this . can you please pass your comments on this.? Thanks Suresh -----Original Message----- From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] Sent: Monday, October 18, 2010 1:16 PM To: Kandukuru, Suresh Cc: jra at samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kandukuru at emc.com wrote:> Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. > so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. > > here is is my test. > > 1) created share "test" , given write access to it for "admin", "user1" users. > > 2) connected to share with admin user and created sub folder "test_subfldr" in it. and given read access to user1 user > . > output of getfacl > ------------ > root at storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ > # file: test_subfldr/ > # owner: admin > # group: users > user::rwx > user:user1:r-x > group::rwx > mask::rwx > other::rwx > default:user::rwx > default:user:user1:r-x > default:group::--- > default:mask::rwx > default:other::--- > > root at storage:/mnt/soho_storage/samba/shares/SP0/test# > ------------------ > 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . > why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr.This might actually be a bug. Maybe Samba believes the user has write permissions due to the group having the w permission? Which group is the user member of? Jeremy, can this be a mis-mapping of Posix permissions to NTFS ACLs in the "dos filemode" permission check? Volker
suresh.kandukuru at emc.com
2010-Oct-25 00:58 UTC
[Samba] Restricting samba subfolder acl changes to admin users
Jeremy did you get a chance to look at this . can you please pass your comments on this.? Thanks Suresh -----Original Message----- From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] Sent: Monday, October 18, 2010 1:16 PM To: Kandukuru, Suresh Cc: jra at samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kandukuru at emc.com wrote:> Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. > so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. > > here is is my test. > > 1) created share "test" , given write access to it for "admin", "user1" users. > > 2) connected to share with admin user and created sub folder "test_subfldr" in it. and given read access to user1 user > . > output of getfacl > ------------ > root at storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ > # file: test_subfldr/ > # owner: admin > # group: users > user::rwx > user:user1:r-x > group::rwx > mask::rwx > other::rwx > default:user::rwx > default:user:user1:r-x > default:group::--- > default:mask::rwx > default:other::--- > > root at storage:/mnt/soho_storage/samba/shares/SP0/test# > ------------------ > 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . > why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr.This might actually be a bug. Maybe Samba believes the user has write permissions due to the group having the w permission? Which group is the user member of? Jeremy, can this be a mis-mapping of Posix permissions to NTFS ACLs in the "dos filemode" permission check? Volker