Hi All, One more point if I may:
I see that Samba currently consider it as security "problem", not a security "benefit". However, frequently there are sub trees that need to be accessed by a particular user, and with the current semantics, you need to give more permissions than you might otherwise need to for the directories above the sub tree. The whole point of a share (or an NFS export) on a server is to be a direct point of access to clients. I didn't see how my change violate any POSIX security. It sounds to me so logic to give user permissions only from mount/export points and not for any directory leading to mount point. Cheers, Ephi -----Original Message----- From: Ephi Dror Sent: Monday, August 21, 2006 12:11 PM To: [email protected] Cc: 'Jeremy Allison'; '[EMAIL PROTECTED]' Subject: Re: [Samba] User can't access a share that he has full control of Hi Simo, Thank you for your reply. I actually did a little test in which I have two users U1 and U2. I have a path \\dir1\dir2 in which I gave access only to administrator (whom mapped to 0) to dir1 and I gave U1 full control to dir2. Now I made a share mapping to \\dir1\dir2. With SAMBA code "as is" not U1 nor U2 can access the share. With my little patch as I described before U1 can access the share while U2 can't which is exactly my expectation. Also this is how my "windows" customers can be setup for running home directories. Our customers are too much "windows" oriented and prefer setting files securities (Acls) via what they know best which is file properties and less via smb.conf in which we are the champions... Also, they told me that they typically creating some kind of an "admin" share to the root of the file system in which only restricted users and group can have access and then they create all their wonderful folders and stuff in which they use ACLs to manipulate access. So they create different shares pointing to different paths in the file system but since the "admin" share that point to the root gave access only to administrator for example, that's how they run into the problem with our SAMBA. So far I can't see it as a problem. Cheers, Ephi -----Original Message----- From: simo [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 11:41 AM To: Jeremy Allison Cc: Ephi Dror; [email protected] Subject: Re: [Samba] User can't access a share that he has full control of On Mon, 2006-08-21 at 11:12 -0700, Jeremy Allison wrote: > > 3. If I do this change for our customers, is there any security > > issue here that I haven't thought about? > > Yes, it's a security hole (IMHO). It completely bypasses security for > a path. There might be things an attacker could do with this (don't > have time right now to think up evil scenarious but I'm sure there are > some :-). An easy example is accessing other users home directories where the user target has a 700 permission on his home directory specifically set to keep out other users. It is a common scenario on unix environments. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
