Hello Samba list subscribers, i have a permission issue when moving files or directories (rename syscall) between directories with different permissions in my share. I'm using POSIX ACLs on my shares. These are my users: user.one (uid: 101111, gid: 101111) SAMDOM\Domain Users (gid: 100513) I've got the following directories: This is the private (home) directory of user.one. The user is the user owner and group owner and has full permissions (770) # file: Users/user.one/ # owner: 101111 # group: 101111 # flags: -s- user::rwx group::rwx mask::rwx other::--- default:user::rwx default:group::rwx default:mask::rwx default:other::--- This user also has a public directory where only the user is able to write files and all other users in this domain should only be able to read the files: Whenever the user creates a file in there all "Domain Users (100513)" will only have read permissions to the files because of the default acls. # file: Public/user.one/ # owner: 101144 # group: 100513 # flags: -s- user::rwx group::r-x mask::r-x other::--- default:user::rwx default:group::r-x default:mask::r-x default:other::--- This works absolutely fine when copying or creating files. However when the user moves a file from the private directory (Users/user.one) with the following permissions: # file: Users/user.one/test # owner: 101111 # group: 101111 user::rwx group::rwx mask::rwx other::--- to the public directory the permissions stay the SAME. This will practically prevent any user from reading the file, because the move (or rename syscall) doesn't inherit the default acls. I find this behavior very unexpected although it makes totally sense from the file systems point of view. The main question now is: How to solve this problem? Here are some ideas I had: 1. Samba should apply the posix acls from the parent directory automatically after a rename like it is done with the archive bit. This feature should be off by default and can be enabled in the configuration. https://github.com/samba-team/samba/blob/master/source3/smbd/reply.c#L7055 2. Use an external service which watches directory movements and then apply the permissions recursively. 2.1 Inotify: It would be possible to use inotify. The main disadvantage is the lack of automatic recursive watchers. So your external service needs to create a separate watch for every directory which might be quite performance intensive when your share has multiple 100.000 directories (e.g. when some users develop nodejs applications with it's thousands of dependencies). 2.2 Fanotify: It was updated with kernel 5.1 and now supports notifications for file movements. https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.1-Fanotify-Improvements This however doesn't work with multiple namespaces which is a must for our use case (docker). So how do you mitigate this problem in your environment? I think this scenario isn't so special that some other users wouldn't have the same issue. I would appreciate any advice or tips how to solve this problem. Kind regards S?ren Busse
On 06/08/2019 14:22, S?ren Busse via samba wrote:> Hello Samba list subscribers, > > i have a permission issue when moving files or directories (rename > syscall) between directories with different permissions in my share. > I'm using POSIX ACLs on my shares. > > These are my users: > user.one (uid: 101111, gid: 101111) > SAMDOM\Domain Users (gid: 100513) > > I've got the following directories: > > This is the private (home) directory of user.one. The user is the user > owner and group owner and has full permissions (770) > > # file: Users/user.one/ > # owner: 101111 > # group: 101111 > # flags: -s- > user::rwx > group::rwx > mask::rwx > other::--- > default:user::rwx > default:group::rwx > default:mask::rwx > default:other::--- > > This user also has a public directory where only the user is able to > write files and all other users in this domain should only be able to > read the files: > Whenever the user creates a file in there all "Domain Users (100513)" > will only have read permissions to the files because of the default acls. > > # file: Public/user.one/ > # owner: 101144 > # group: 100513 > # flags: -s- > user::rwx > group::r-x > mask::r-x > other::--- > default:user::rwx > default:group::r-x > default:mask::r-x > default:other::--- > > > This works absolutely fine when copying or creating files. > However when the user moves a file from the private directory > (Users/user.one) with the following permissions: > > # file: Users/user.one/test > # owner: 101111 > # group: 101111 > user::rwx > group::rwx > mask::rwx > other::--- > > to the public directory the permissions stay the SAME. This will > practically prevent any user from reading the file, because the move > (or rename syscall) doesn't inherit the default acls. I find this > behavior very unexpected although it makes totally sense from the file > systems point of view. > > The main question now is: How to solve this problem? > > Here are some ideas I had: > 1. Samba should apply the posix acls from the parent directory > automatically after a rename like it is done with the archive bit. > This feature should be off by default and can be enabled in the > configuration. > https://github.com/samba-team/samba/blob/master/source3/smbd/reply.c#L7055 > > > 2. Use an external service which watches directory movements and then > apply the permissions recursively. > 2.1 Inotify: It would be possible to use inotify. The main > disadvantage is the lack of automatic recursive watchers. So your > external service needs to create a separate watch for every directory > which might be quite performance intensive when your share has > multiple 100.000 directories (e.g. when some users develop nodejs > applications with it's thousands of dependencies). > 2.2 Fanotify: It was updated with kernel 5.1 and now supports > notifications for file movements. > https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.1-Fanotify-Improvements > > This however doesn't work with multiple namespaces which is a must for > our use case (docker). > > So how do you mitigate this problem in your environment? I think this > scenario isn't so special that some other users wouldn't have the same > issue. > > I would appreciate any advice or tips how to solve this problem. > > Kind regards > S?ren Busse >Lets start with seeing your smb.conf, so we can see how you are running Samba. Rowland
Thank you very much for your reply. Oh sorry, I forgot that: Here's my smb.conf for Samba 4.9.4-Debian fileserver. I'm running samba with a different Samba-DC (i replaced my domain with samdom): [global] security = ADS workgroup = samdom realm = samdom.domain.tld log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config samdom : backend = rid idmap config samdom : range = 100000-200000 winbind nss info = template template shell = /bin/bash template homedir = /home/%U username map = /etc/samba/user.map [Share] path = /srv/Share read only = no store dos attributes = no create mask = 0770 force create mode = 0770 directory mask = 0770 force directory mode = 0770 hide files = /desktop.ini/.BIN/ smb.conf for Domain Controller: [global] ??? bind interfaces only = Yes ??? dns forwarder = 10.10.0.1 ??? interfaces = lo enp3s0 ??? netbios name = DC-1 ??? realm = SAMDOM.DOMAIN.TLD ??? server role = active directory domain controller ??? workgroup = SAMDOM ??? idmap_ldb:use rfc2307 = yes [netlogon] ??? path = /var/lib/samba/sysvol/samdom.domain.tld/scripts ??? read only = No [sysvol] ??? path = /var/lib/samba/sysvol ??? read only = No Thank you very much in advance Kind regards S?ren Busse Am 06.08.19 um 15:45 schrieb Rowland penny via samba:> On 06/08/2019 14:22, S?ren Busse via samba wrote: >> Hello Samba list subscribers, >> >> i have a permission issue when moving files or directories (rename >> syscall) between directories with different permissions in my share. >> I'm using POSIX ACLs on my shares. >> >> These are my users: >> user.one (uid: 101111, gid: 101111) >> SAMDOM\Domain Users (gid: 100513) >> >> I've got the following directories: >> >> This is the private (home) directory of user.one. The user is the >> user owner and group owner and has full permissions (770) >> >> # file: Users/user.one/ >> # owner: 101111 >> # group: 101111 >> # flags: -s- >> user::rwx >> group::rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:group::rwx >> default:mask::rwx >> default:other::--- >> >> This user also has a public directory where only the user is able to >> write files and all other users in this domain should only be able to >> read the files: >> Whenever the user creates a file in there all "Domain Users (100513)" >> will only have read permissions to the files because of the default >> acls. >> >> # file: Public/user.one/ >> # owner: 101144 >> # group: 100513 >> # flags: -s- >> user::rwx >> group::r-x >> mask::r-x >> other::--- >> default:user::rwx >> default:group::r-x >> default:mask::r-x >> default:other::--- >> >> >> This works absolutely fine when copying or creating files. >> However when the user moves a file from the private directory >> (Users/user.one) with the following permissions: >> >> # file: Users/user.one/test >> # owner: 101111 >> # group: 101111 >> user::rwx >> group::rwx >> mask::rwx >> other::--- >> >> to the public directory the permissions stay the SAME. This will >> practically prevent any user from reading the file, because the move >> (or rename syscall) doesn't inherit the default acls. I find this >> behavior very unexpected although it makes totally sense from the >> file systems point of view. >> >> The main question now is: How to solve this problem? >> >> Here are some ideas I had: >> 1. Samba should apply the posix acls from the parent directory >> automatically after a rename like it is done with the archive bit. >> This feature should be off by default and can be enabled in the >> configuration. >> https://github.com/samba-team/samba/blob/master/source3/smbd/reply.c#L7055 >> >> >> 2. Use an external service which watches directory movements and then >> apply the permissions recursively. >> 2.1 Inotify: It would be possible to use inotify. The main >> disadvantage is the lack of automatic recursive watchers. So your >> external service needs to create a separate watch for every directory >> which might be quite performance intensive when your share has >> multiple 100.000 directories (e.g. when some users develop nodejs >> applications with it's thousands of dependencies). >> 2.2 Fanotify: It was updated with kernel 5.1 and now supports >> notifications for file movements. >> https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.1-Fanotify-Improvements >> >> This however doesn't work with multiple namespaces which is a must >> for our use case (docker). >> >> So how do you mitigate this problem in your environment? I think this >> scenario isn't so special that some other users wouldn't have the >> same issue. >> >> I would appreciate any advice or tips how to solve this problem. >> >> Kind regards >> S?ren Busse >> > Lets start with seeing your smb.conf, so we can see how you are > running Samba. > > Rowland > > >