Bug 11230 - force user allows create but denies remove of files
Summary: force user allows create but denies remove of files
Status: NEW
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.6.23
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-22 19:05 UTC by pwatkins
Modified: 2015-05-21 08:17 UTC (History)
1 user (show)

See Also:


Attachments
config file (1.04 KB, text/plain)
2015-04-22 19:05 UTC, pwatkins
no flags Details
log file (108.23 KB, text/plain)
2015-04-22 19:06 UTC, pwatkins
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description pwatkins 2015-04-22 19:05:43 UTC
Created attachment 10978 [details]
config file

See related bug #9746.

Setting share "force user = nfsnobody" and "guest_only = yes" with global "guest account = nfsnobody" means you can create a file but not delete it. If I comment out the "force user", I can both create and delete OK.

This is different from previous behavior with the same config file. (Though it may be my config setup was odd or wrong all along.)

It looks like Jeremy's patch for #9746 wouldn't have this issue, but it 
sounds like there was some discussion on IRC resulting in Andrew's patch 
being preferred.

With force user, the security token has SID's like this:
     SID[  0]: S-1-22-1-65534   <== nfsnobody
     SID[  1]: S-1-22-2-65534   <== nfsnobody
     SID[  2]: S-1-1-0
     SID[  3]: S-1-5-2
     SID[  4]: S-1-5-32-546

Without force user, the security token has SID's like this:
     SID[  0]: S-1-5-21-1728798723-2110846055-115949566-501 <== default guest
     SID[  1]: S-1-5-21-1728798723-2110846055-115949566-514
     SID[  2]: S-1-1-0
     SID[  3]: S-1-5-2
     SID[  4]: S-1-5-32-546
     SID[  5]: S-1-22-1-65534   <== nfsnobody

And it's the -501 trustee which has rwx permission.

What approach do you like for fixing this: (a) set use_guest_token TRUE when the force user is the same as guest account or (b) put the missing guest SID's in the security token on the force user path or (c) something else ?

Config and log attached. Look for DENIED in the log.
Comment 1 pwatkins 2015-04-22 19:06:43 UTC
Created attachment 10979 [details]
log file
Comment 2 Andrew Bartlett 2015-04-23 21:00:59 UTC
As mentioned on IRC, Samba 3.6 is discontinued.  The current supported releases are 4.1 and 4.2, with Samba 4.0 getting security updates only.

As such, the first step is to reproduce the issue with GIT master, and if possible propose a fix there, so we can consider backporting it to 4.0 and 4.1.