Lorenzo Delana
2018-Feb-02 17:04 UTC
[Samba] Samba 4.6.2 does not inherit setgid bit (anymore)
thanks for suggestion, in other words you use only ACLs for users denying all for groups, unfortunately we had many group such as domain users, secretary, finance, etc belonging to users for which we need to apply at least 770 in order to gain a simplified permission management using groups the actual dirty workaround I applied was to track new files/dir by tailing with follow ( tail -f ) a smbd_audit.log filtered through rsyslog for messages generated by samba full_audit configured to listen "create_file" event; the problem here is that sometime samba full_audit report the event of a file or folder created by the element isn't on the disk yet so as security checkpoint I ended to apply a chgrp -R root nightly on a daily basis. all of these problems could easily resolved if there was existed an option such as an hypothetical "force item group" that allow me to force the group for created item ( note that the current one "force group" option not work for me because it apply as an impersonation of a group for the authenticated user generating more security problems ). Lorenzo Delana | | On 02/02/2018 17:15, Dale Renton wrote:> > have you found a solution that makes "force directory mode = 2770" > able to apply to new created folders ? > > > We have noticed the same thing in CentOS 7. The setgid no longer works > like it did before, so now we create our shares like this following > the instructions from the wiki. > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs > > > # chmod 700 /u01/test > # chown root:root /u01/test > # setfacl -m group::--- /u01/test > # setfacl -m default:group::--- /u01/test > # setfacl -m other::--- /u01/test > # setfacl -m default:other::--- /u01/test > # setfacl -m group:unixadmins:rwx /u01/test > # setfacl -m default:group:unixadmins:rwx /u01/test > > > smb.conf > > [test] > comment = test > path = /u01/test > read only = No > inherit acls = yes > > > Dale
Hi Lorenzo and Dale, My setup is like Lorenzo's completely based on setgid being propagated. The filesystem should determine the group used starting at a certain directory. Different "root" directories have different groups, and security is based on groups, not users. I tried all sorts of settings combinations, alseo "force directory mode = 2770", but none propagates setgid. The odd thing is that it has worked fine for years on versions below 4.2.10. Only after udating to 4.6.2 it completely stopped working. I wonder if it is a new feature to neglect setgid completely, or that it is a bug and that i may expect it working again in future versions. Kind regards, Vincent On 02/02/2018 18:04, Lorenzo Delana via samba wrote:> thanks for suggestion, in other words you use only ACLs for users > denying all for groups, unfortunately we had many group such as domain > users, secretary, finance, etc belonging to users for which we need to > apply at least 770 in order to gain a simplified permission management > using groups > > the actual dirty workaround I applied was to track new files/dir by > tailing with follow ( tail -f ) a smbd_audit.log filtered through > rsyslog for messages generated by samba full_audit configured to > listen "create_file" event; the problem here is that sometime samba > full_audit report the event of a file or folder created by the element > isn't on the disk yet so as security checkpoint I ended to apply a > chgrp -R root nightly on a daily basis. > > all of these problems could easily resolved if there was existed an > option such as an hypothetical "force item group" that allow me to > force the group for created item ( note that the current one "force > group" option not work for me because it apply as an impersonation of > a group for the authenticated user generating more security problems ). > > > Lorenzo Delana | > | > On 02/02/2018 17:15, Dale Renton wrote: >> >> have you found a solution that makes "force directory mode = 2770" >> able to apply to new created folders ? >> >> >> We have noticed the same thing in CentOS 7. The setgid no longer >> works like it did before, so now we create our shares like this >> following the instructions from the wiki. >> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs >> >> >> # chmod 700 /u01/test >> # chown root:root /u01/test >> # setfacl -m group::--- /u01/test >> # setfacl -m default:group::--- /u01/test >> # setfacl -m other::--- /u01/test >> # setfacl -m default:other::--- /u01/test >> # setfacl -m group:unixadmins:rwx /u01/test >> # setfacl -m default:group:unixadmins:rwx /u01/test >> >> >> smb.conf >> >> [test] >> comment = test >> path = /u01/test >> read only = No >> inherit acls = yes >> >> >> Dale >
Hi everyone, Just to share the good news: Since Samba version 4.7.1 came with Centos updates, the setgid bit is propagated to new subdirectories again. Kind regards, Vincent On 05/02/2018 17:47, Vincent via samba wrote:> Hi Lorenzo and Dale, > > My setup is like Lorenzo's completely based on setgid being > propagated. The filesystem should determine the group used starting at > a certain directory. Different "root" directories have different > groups, and security is based on groups, not users. > > I tried all sorts of settings combinations, alseo "force directory > mode = 2770", but none propagates setgid. > > The odd thing is that it has worked fine for years on versions below > 4.2.10. Only after udating to 4.6.2 it completely stopped working. I > wonder if it is a new feature to neglect setgid completely, or that it > is a bug and that i may expect it working again in future versions. > > Kind regards, Vincent > > > On 02/02/2018 18:04, Lorenzo Delana via samba wrote: >> thanks for suggestion, in other words you use only ACLs for users >> denying all for groups, unfortunately we had many group such as >> domain users, secretary, finance, etc belonging to users for which we >> need to apply at least 770 in order to gain a simplified permission >> management using groups >> >> the actual dirty workaround I applied was to track new files/dir by >> tailing with follow ( tail -f ) a smbd_audit.log filtered through >> rsyslog for messages generated by samba full_audit configured to >> listen "create_file" event; the problem here is that sometime samba >> full_audit report the event of a file or folder created by the >> element isn't on the disk yet so as security checkpoint I ended to >> apply a chgrp -R root nightly on a daily basis. >> >> all of these problems could easily resolved if there was existed an >> option such as an hypothetical "force item group" that allow me to >> force the group for created item ( note that the current one "force >> group" option not work for me because it apply as an impersonation of >> a group for the authenticated user generating more security problems ). >> >> >> Lorenzo Delana | >> | >> On 02/02/2018 17:15, Dale Renton wrote: >>> >>> have you found a solution that makes "force directory mode = 2770" >>> able to apply to new created folders ? >>> >>> >>> We have noticed the same thing in CentOS 7. The setgid no longer >>> works like it did before, so now we create our shares like this >>> following the instructions from the wiki. >>> >>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs >>> >>> >>> # chmod 700 /u01/test >>> # chown root:root /u01/test >>> # setfacl -m group::--- /u01/test >>> # setfacl -m default:group::--- /u01/test >>> # setfacl -m other::--- /u01/test >>> # setfacl -m default:other::--- /u01/test >>> # setfacl -m group:unixadmins:rwx /u01/test >>> # setfacl -m default:group:unixadmins:rwx /u01/test >>> >>> >>> smb.conf >>> >>> [test] >>> comment = test >>> path = /u01/test >>> read only = No >>> inherit acls = yes >>> >>> >>> Dale >> > >
Seemingly Similar Threads
- Samba 4.6.2 does not inherit setgid bit (anymore)
- Samba 4.6.2 does not inherit setgid bit (anymore)
- Samba 4.6.2 does not inherit setgid bit (anymore)
- [Bug 13239] New: "rsync --times" does not keep dirs' setgid bits when user not member of setgid group
- [Bug 136] New: setgid() deemed to fail for non-suid ssh client on linux if using other than primary group