Rowland penny
2021-Feb-01 13:33 UTC
[Samba] Suggestion for clarification in the manual page for smb.conf re preexec & admin users
On 01/02/2021 13:09, Peter Eriksson wrote:> >> On 1 Feb 2021, at 14:00, Rowland penny via samba <samba at lists.samba.org> wrote: >> >> On 01/02/2021 12:42, Peter Eriksson via samba wrote: >>> I just noticed that ?preexec? scripts are run as the user connecting. Unless that user is in the ?admin users? list. Then it will be run as user root? >>> >>> Now, in retrospect this isn?t so surprising since ?admin users? will do all file operations as root but it still wasn?t obvious to me from reading the manual page. >>> >>> Perhaps adding a notice in the ?admin users? section that it not only affects file operations but also ?preexec? (and possibly ?postexec? - haven?t tested that)? >>> (And also perhaps a notice under the ?preexec? section)? >>> >>> - Peter >>> >>> >> In a roundabout way it is documented in 'man smb.conf'. There is is also the 'root preexec' parameter and in 'man smb.conf' it says this: >> >> This is the same as the preexec parameter except that the command is run as root. >> >> Which implies that the 'preexec' is run as a normal user. > Yes - which is why I was a bit surprised when it ran the command as root :-) > > - PeterAgain I point you to 'man smb.conf' ? ?????? admin users (S) ?????????? This is a list of users who will be granted administrative ?????????? privileges on the share. This means that they will do all file ?????????? operations as the super-user (root). Rowland
Andrew Bartlett
2021-Feb-02 06:09 UTC
[Samba] Suggestion for clarification in the manual page for smb.conf re preexec & admin users
On Mon, 2021-02-01 at 13:33 +0000, Rowland penny via samba wrote:> On 01/02/2021 13:09, Peter Eriksson wrote: > > > On 1 Feb 2021, at 14:00, Rowland penny via samba < > > > samba at lists.samba.org> wrote: > > > > > > On 01/02/2021 12:42, Peter Eriksson via samba wrote: > > > > I just noticed that ?preexec? scripts are run as the user > > > > connecting. Unless that user is in the ?admin users? list. Then > > > > it will be run as user root? > > > > > > > > Now, in retrospect this isn?t so surprising since ?admin users? > > > > will do all file operations as root but it still wasn?t obvious > > > > to me from reading the manual page. > > > > > > > > Perhaps adding a notice in the ?admin users? section that it > > > > not only affects file operations but also ?preexec? (and > > > > possibly ?postexec? - haven?t tested that)? > > > > (And also perhaps a notice under the ?preexec? section)? > > > > > > > > - Peter > > > > > > > > > > > In a roundabout way it is documented in 'man smb.conf'. There is > > > is also the 'root preexec' parameter and in 'man smb.conf' it > > > says this: > > > > > > This is the same as the preexec parameter except that the command > > > is run as root. > > > > > > Which implies that the 'preexec' is run as a normal user. > > Yes - which is why I was a bit surprised when it ran the command as > > root :-) > > > > - Peter > > Again I point you to 'man smb.conf' ? > > admin users (S) > > This is a list of users who will be granted > administrative > privileges on the share. This means that they will do all > file > operations as the super-user (root). > > RowlandI don't think there is any dispute that this is behaving as designed or documented, just that s/file operations/file operations and preexec commands/ might be a useful change. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba