samba - May 2016 - access to files continues after removing user from group

Hi Jeremy,
> Logged in tokens with group lists don't dynamically
> change to reflect changes in the group database.
> The token (user id and group list) is created
> at login time, and will remain the same whilst
> that user is connected.
Thanks for the explanation.

It seems like the token should be used to determine "who" the process
is,
while their username and groups they belong to compared against the filesystem 
ACL "what" they can access.

Shouldn't Samba be checking the filesystem ACL and the user/group membership
every time a file/dir are accessed?  The kernel should do this for Samba if 
Samba always dropped privileges to access files, right?

Seems like a security bug waiting to happen not to do this.

Chad.

On Wed, May 11, 2016 at 09:54:39AM -0500, Chad William Seys
wrote:
> Hi Jeremy,
> 
> > Logged in tokens with group lists don't dynamically
> > change to reflect changes in the group database.
> > The token (user id and group list) is created
> > at login time, and will remain the same whilst
> > that user is connected.
> 
> Thanks for the explanation.
> 
> It seems like the token should be used to determine "who" the
process is,
> while their username and groups they belong to compared against the
filesystem
> ACL "what" they can access.
> 
> Shouldn't Samba be checking the filesystem ACL and the user/group
membership
> every time a file/dir are accessed?  The kernel should do this for Samba if
> Samba always dropped privileges to access files, right?
> 
> Seems like a security bug waiting to happen not to do this.
The kernel checks the token attached to the process
at the time the process accesses the filesystem/resource.

This is how OS'es work. It's how they *all* work.

What you're complaining about is that changes to
the database that is used to create the process
token doesn't dynamically update running process
tokens.

That just not the way running processes work
I'm afraid.

Hi Jeremy,
> The kernel checks the token attached to the process
> at the time the process accesses the filesystem/resource.
> 
> This is how OS'es work. It's how they *all* work.
> 
> What you're complaining about is that changes to
> the database that is used to create the process
> token doesn't dynamically update running process
> tokens.
> 
> That just not the way running processes work
> I'm afraid.
Well I'll be!  I verified that this is the case for netatalk as well.  I am 
surprised the security minded haven't gone bonkers over this.  I wonder what
reason(s) keep them pacified?

I still don't understand why removing a user from group does not take effect
until a new process starts
BUT ADDING a user to the group takes effect immediately.

Isn't this inconsistent with the "no dynamic updates to running
processes"
idea?

Thanks again,
Chad.