Chad William Seys
2016-May-11 16:00 UTC
[Samba] access to files continues after removing user from group
Hi Jeremy,> The kernel checks the token attached to the process > at the time the process accesses the filesystem/resource. > > This is how OS'es work. It's how they *all* work. > > What you're complaining about is that changes to > the database that is used to create the process > token doesn't dynamically update running process > tokens. > > That just not the way running processes work > I'm afraid.Well I'll be! I verified that this is the case for netatalk as well. I am surprised the security minded haven't gone bonkers over this. I wonder what reason(s) keep them pacified? I still don't understand why removing a user from group does not take effect until a new process starts BUT ADDING a user to the group takes effect immediately. Isn't this inconsistent with the "no dynamic updates to running processes" idea? Thanks again, Chad.
Jeremy Allison
2016-May-11 16:07 UTC
[Samba] access to files continues after removing user from group
On Wed, May 11, 2016 at 11:00:49AM -0500, Chad William Seys wrote:> Hi Jeremy, > > > The kernel checks the token attached to the process > > at the time the process accesses the filesystem/resource. > > > > This is how OS'es work. It's how they *all* work. > > > > What you're complaining about is that changes to > > the database that is used to create the process > > token doesn't dynamically update running process > > tokens. > > > > That just not the way running processes work > > I'm afraid. > > Well I'll be! I verified that this is the case for netatalk as well. I am > surprised the security minded haven't gone bonkers over this. I wonder what > reason(s) keep them pacified?Because that's just the way the process model works.> I still don't understand why removing a user from group does not take effect > until a new process starts > BUT ADDING a user to the group takes effect immediately. > > Isn't this inconsistent with the "no dynamic updates to running processes" > idea?Adding a user to a group won't change the token on existing proceses. If a user attaches to Samba after that user is added to the group will create a new token attached to the new smbd process. It won't change any existing smbd process.
Chad William Seys
2016-May-11 16:17 UTC
[Samba] access to files continues after removing user from group
Hi Jeremy,> Because that's just the way the process model works.So security nuts didn't get involved early enough? Or maybe there is some performance problem of checking on each access (at least back when model developed). Or maybe the process model is more like gravity? That is how it is, but no-one knows why. ;)> Adding a user to a group won't change the token on existing > proceses. If a user attaches to Samba after that user is > added to the group will create a new token attached to > the new smbd process. It won't change any existing smbd > process.Ah! You're right. Somehow I didn't notice the PID changing. Thanks for your help! Chad.