samba - Mar 2022 - Unable to write to a share that I should have access to

When the normal user owns the dir, they can run chown, right?  Granted, it
would only be to update the group or to transfer ownership to another user
but I believe that is the only time a user has that permission.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Tue, Mar 8, 2022 at 11:02 AM Patrick Goetz via samba <
samba at lists.samba.org> wrote:
>
>
> On 3/8/22 00:49, Rowland Penny via samba wrote:
> > On Mon, 2022-03-07 at 20:40 -0600, Patrick Goetz via samba wrote:
> >>
> >> On 3/7/22 13:21, Rob Campbell via samba wrote:
> >>> Following
> >>>
>
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_POSIX_ACLs%23Setting_Standard_UNIX_ACLs&amp;data=04%7C01%7C%7Ced0df6aa1dac4270f65608da00cfee65%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637823190313579415%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=t8D4AdFB32Pgv8Cl4FaQrmWJ%2FoVwaUd7a4CN6fZs68k%3D&amp;reserved=0
> >>>
> >>> # chmod 2770 /srv/samba/Demo/
> >>> # chown root:"Domain Users" /srv/samba/Demo/
> >>>
> >>> When I try this, I get an error message
> >>> $ chown testuser:"Media Users" TV_Shows/
> >>> chown: invalid user: ?testuser:Media Users?
> >>>
> >>
> >> First of all, you can't use chown as an ordinary user.  Only
root can
> >> do
> >> this.  Second, I'm pretty sure your syntax is wrong?  Try this
(as
> >> root):
> >>
> >>      # chown testuser:"Media Users" TV_Shows
> >
> > You can run 'chown' as a normal user, whether you have the
permissions
> > to run it against a particular file is another thing. Also, there was
> > nothing wrong with the syntax.
> >
>
> What permission would allow you to run chown as a normal user?
>
>
> > Rowland
> >
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 3/8/22 10:29, Rob Campbell wrote:
> When the normal user owns the dir, they can run chown, right?? Granted, 
> it would only be to update the group or to transfer ownership to another 
> user but I believe that is the only time a user has that permission.
> 
Here I am in my home directory:

   pgoetz at frog ~$ pwd
   /home/pgoetz

   pgoetz at frog ~$ mkdir testdir
   pgoetz at frog ~$ ls -ld testdir
   drwxr-xr-x 2 pgoetz pgoetz 4096 Mar  8 10:38 testdir

   pgoetz at frog testdir$ touch foo
   pgoetz at frog testdir$ ls -l foo
   -rw-r--r-- 1 pgoetz pgoetz 0 Mar  8 10:39 foo

Let's make sure the file is wide open, to remove this possible variable:

   pgoetz at frog testdir$ chmod 777 foo
   pgoetz at frog testdir$ ls -l
   total 0
   -rwxrwxrwx 1 pgoetz pgoetz 0 Mar  8 10:39 foo

OK, let me attempt to transfer the permission to another user:

   pgoetz at frog testdir$ id sven
   uid=1005(sven) gid=1005(sven) groups=1005(sven)

   pgoetz at frog testdir$ chown sven foo
   chown: changing ownership of 'foo': Operation not permitted

I can change the group to a group that I'm in:

   pgoetz at frog testdir$ chgrp users foo
   pgoetz at frog testdir$ ls -l
   total 0
   -rwxrwxrwx 1 pgoetz users 0 Mar  8 10:39 foo

But I can't change the group to a group I'm not in:

   pgoetz at frog testdir$ chgrp ftp foo
   chgrp: changing group of 'foo': Operation not permitted

I think it's like Louis said: being able to arbitrarily change the uid 
of a file as a non-privileged user would be a huge security hole, since 
I could write a shell script called fml.sh

   #!/bin/bash
   cd /
   rm -rf *

Then change the ownership to a privileged user:

   $ chown root fml.sh

and now this script runs as root.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
> 
> 
> On Tue, Mar 8, 2022 at 11:02 AM Patrick Goetz via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
wrote:
> 
> 
> 
>     On 3/8/22 00:49, Rowland Penny via samba wrote:
>      > On Mon, 2022-03-07 at 20:40 -0600, Patrick Goetz via samba wrote:
>      >>
>      >> On 3/7/22 13:21, Rob Campbell via samba wrote:
>      >>> Following
>      >>>
>    
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_POSIX_ACLs%23Setting_Standard_UNIX_ACLs&amp;data=04%7C01%7C%7Ced0df6aa1dac4270f65608da00cfee65%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637823190313579415%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=t8D4AdFB32Pgv8Cl4FaQrmWJ%2FoVwaUd7a4CN6fZs68k%3D&amp;reserved=0
>    
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_POSIX_ACLs%23Setting_Standard_UNIX_ACLs&data=04%7C01%7C%7Cba5a583940604cc0a6d608da0120faf3%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637823538413023756%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=R0JuV4jJ%2BFTq1dQJMZqfInnzjj2DpA%2FoPLN7W%2Bai1Hs%3D&reserved=0>
>      >>>
>      >>> # chmod 2770 /srv/samba/Demo/
>      >>> # chown root:"Domain Users" /srv/samba/Demo/
>      >>>
>      >>> When I try this, I get an error message
>      >>> $ chown testuser:"Media Users" TV_Shows/
>      >>> chown: invalid user: ?testuser:Media Users?
>      >>>
>      >>
>      >> First of all, you can't use chown as an ordinary user.?
Only
>     root can
>      >> do
>      >> this.? Second, I'm pretty sure your syntax is wrong?? Try
this (as
>      >> root):
>      >>
>      >>? ? ? # chown testuser:"Media Users" TV_Shows
>      >
>      > You can run 'chown' as a normal user, whether you have
the
>     permissions
>      > to run it against a particular file is another thing. Also, there
was
>      > nothing wrong with the syntax.
>      >
> 
>     What permission would allow you to run chown as a normal user?
> 
> 
>      > Rowland
>      >
>      >
>      >
> 
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>    
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=04%7C01%7C%7Cba5a583940604cc0a6d608da0120faf3%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637823538413023756%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mp39iBl%2FjwQCryH4w32oRSrvwdy56ETEihQJqr2PYfw%3D&reserved=0>
>