samba - Jan 2024 - chmod of smbpasswd file

On Wed, Jan 10, 2024 at 05:41:01PM +0300, Michael Tokarev via samba
wrote:
>
>That's exactly the reason to have configs on a read-only file system -
to
>ensure they're not modified when should not.  Samba is *not* modifying
them
>de facto (this file has always been 0600), it is just wrong code and
entirely
>wrong thing to do to begin with, - to change permissions of *config files*.
>Absolutely wrong.
Give me a break Michael :-). That OLD code (from me I'm sure :-) pre-dates
2004
(when it was last reformatted). smbpasswd files were being protected
from mistakes by admins (yes I was trying to save people from themselves,
this is what you get for trying to do people a favour :-).

It's an easy fix to remove it. Just raise a bug, submit a merge and I'll
get it
reviewed and pushed.

Probably best thing to do is change this to do an fstat and
log a warning message if 'rw' is set for anything other than
owner.

> It's an easy fix to remove it. Just raise a bug, submit a merge and
I'll get it
> reviewed and pushed.
> 
> Probably best thing to do is change this to do an fstat and
> log a warning message if 'rw' is set for anything other than
> owner.
https://bugzilla.samba.org/show_bug.cgi?id=15555
Filed a bug and a patch is proposed: add fstat() to bypass [f]chmod() if 
the password file has valid permissions 0600. 

We had a similar case before,
a bit different is the password file is resident on a writable ext3/ext4, 
and contantly [f]chmod() might have a performance impact on entry-level 
systems since dirty pages syncing is expensive, hope this helps :)

--

Regards,
Jones Syue | ???
QNAP Systems, Inc.