Chad William Seys
2016-May-11 14:54 UTC
[Samba] access to files continues after removing user from group
Hi Jeremy,> Logged in tokens with group lists don't dynamically > change to reflect changes in the group database. > The token (user id and group list) is created > at login time, and will remain the same whilst > that user is connected.Thanks for the explanation. It seems like the token should be used to determine "who" the process is, while their username and groups they belong to compared against the filesystem ACL "what" they can access. Shouldn't Samba be checking the filesystem ACL and the user/group membership every time a file/dir are accessed? The kernel should do this for Samba if Samba always dropped privileges to access files, right? Seems like a security bug waiting to happen not to do this. Chad.
Jeremy Allison
2016-May-11 15:05 UTC
[Samba] access to files continues after removing user from group
On Wed, May 11, 2016 at 09:54:39AM -0500, Chad William Seys wrote:> Hi Jeremy, > > > Logged in tokens with group lists don't dynamically > > change to reflect changes in the group database. > > The token (user id and group list) is created > > at login time, and will remain the same whilst > > that user is connected. > > Thanks for the explanation. > > It seems like the token should be used to determine "who" the process is, > while their username and groups they belong to compared against the filesystem > ACL "what" they can access. > > Shouldn't Samba be checking the filesystem ACL and the user/group membership > every time a file/dir are accessed? The kernel should do this for Samba if > Samba always dropped privileges to access files, right? > > Seems like a security bug waiting to happen not to do this.The kernel checks the token attached to the process at the time the process accesses the filesystem/resource. This is how OS'es work. It's how they *all* work. What you're complaining about is that changes to the database that is used to create the process token doesn't dynamically update running process tokens. That just not the way running processes work I'm afraid.
Chad William Seys
2016-May-11 16:00 UTC
[Samba] access to files continues after removing user from group
Hi Jeremy,> The kernel checks the token attached to the process > at the time the process accesses the filesystem/resource. > > This is how OS'es work. It's how they *all* work. > > What you're complaining about is that changes to > the database that is used to create the process > token doesn't dynamically update running process > tokens. > > That just not the way running processes work > I'm afraid.Well I'll be! I verified that this is the case for netatalk as well. I am surprised the security minded haven't gone bonkers over this. I wonder what reason(s) keep them pacified? I still don't understand why removing a user from group does not take effect until a new process starts BUT ADDING a user to the group takes effect immediately. Isn't this inconsistent with the "no dynamic updates to running processes" idea? Thanks again, Chad.
Possibly Parallel Threads
- access to files continues after removing user from group
- access to files continues after removing user from group
- access to files continues after removing user from group
- access to files continues after removing user from group
- access to files continues after removing user from group