Bug 1254 - write list not working under share-level security
write list not working under share-level security
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.4
All FreeBSD
: P3 major
: none
Assigned To: Jeremy Allison
:
: 1319 1532 1844 5958 (view as bug list)
Depends on:
Blocks: 1319
  Show dependency treegraph
 
Reported: 2004-04-09 05:53 UTC by Jon Noack
Modified: 2009-01-25 13:47 UTC (History)
6 users (show)

See Also:


Attachments
tarred and gzipped level 10 log files (15.65 KB, application/gzip)
2004-05-19 01:03 UTC, Jon Noack
no flags Details
a patch for checking read list/write list parameters when security=share (724 bytes, patch)
2004-07-23 02:49 UTC, Shiro Yamada
no flags Details
a patch for checking read list/write list parameters when security=share (929 bytes, patch)
2004-07-25 18:43 UTC, Shiro Yamada
no flags Details
Patch for 3.2.x and above. (3.86 KB, patch)
2008-12-03 19:16 UTC, Jeremy Allison
no flags Details
Better patch. (3.57 KB, patch)
2008-12-03 19:53 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jon Noack 2004-04-09 05:53:30 UTC
I'm actually running 3.0.3pre2 under FreeBSD 5.2.1, but 3.0.3pre2 is not an
option in Bugzilla yet...

Upgraded to 3.0.3pre2 from 3.0.2a and now I am unable to write to certain
shares.  A sample config that no longer works (from testparm):
[fun]
        comment = Fun Stuff
        path = /usr/home/fun
        write list = @fun
        force group = fun
        create mask = 0664
        directory mask = 0775
        guest ok = Yes

This used to allow anyone to read and people in the fun group to write.  Now,
everyone can read but no one can write.  However, users have no problem writing
to their home directories and this share still works fine (from testparm):
[web]
        comment = Web Page
        path = /usr/local/www/data
        valid users = noackjr
        read only = No
        create mask = 0644

The log for the specific client shows that I am connecting with the correct
group (500 = fun):
[2004/04/09 06:53:26, 5] smbd/uid.c:change_to_user(267)
  change_to_user uid=(1001,1001) gid=(0,500)
[2004/04/09 06:53:26, 1] smbd/service.c:make_connection_snum(619)
  192.168.1.11 (192.168.1.11) connect to service fun initially as user noackjr
(uid=1001, gid=500) (pid 34551)

However, when I attempt to copy a file ("import") into the share:
[2004/04/09 06:53:33, 5] smbd/filename.c:unix_convert(312)
  New file import
[2004/04/09 06:53:33, 3] smbd/dosmode.c:unix_mode(111)
  unix_mode(import) returning 0664
[2004/04/09 06:53:33, 5] smbd/files.c:file_new(122)
  allocated file structure 7182, fnum = 11278 (1 used)
[2004/04/09 06:53:33, 10] smbd/open.c:open_file_shared1(833)
  open_file_shared: fname = import, dos_attrs = 0, share_mode = 42, ofun = 12,
mode = 664, oplock request = 0
[2004/04/09 06:53:33, 8] lib/util.c:is_in_path(1508)
  is_in_path: import
[2004/04/09 06:53:33, 8] lib/util.c:is_in_path(1512)
  is_in_path: no name list.
[2004/04/09 06:53:33, 4] smbd/open.c:open_file_shared1(1010)
  calling open_file with flags=0x2 flags2=0x0 mode=0664
[2004/04/09 06:53:33, 3] smbd/open.c:open_file(110)
  Permission denied opening import
[2004/04/09 06:53:33, 5] smbd/files.c:file_free(385)
  freed files structure 11278 (0 used)
[2004/04/09 06:53:33, 10] smbd/trans2.c:set_bad_path_error(2130)
  set_bad_path_error: err = 1 bad_path = 0
[2004/04/09 06:53:33, 3] smbd/error.c:error_packet(94)
  error string = Operation not permitted
[2004/04/09 06:53:33, 3] smbd/error.c:error_packet(118)
  error packet at smbd/trans2.c(2139) cmd=45 (SMBopenX) NT_STATUS_ACCESS_DENIED

I will email full logs on request.
Comment 1 Jon Noack 2004-04-23 07:50:25 UTC
Still not working with 3.0.3rc1.  Again, the write list is ignored even though I
can authenticate successfully with other shares.

$ smbclient -U noackjr //optimator/fun
Password:
Domain=[JONES] OS=[Unix] Server=[Samba 3.0.3rc1]
smb: \> put CHANGES
NT_STATUS_ACCESS_DENIED opening remote file \CHANGES
smb: \> quit
$ smbclient -U noackjr //optimator/noackjr
Password:
Domain=[JONES] OS=[Unix] Server=[Samba 3.0.3rc1]
smb: \> put CHANGES
putting file CHANGES as \CHANGES (401.3 kb/s) (average 401.3 kb/s)
smb: \> quit
$ smbclient -U noackjr //optimator/web
Password:
Domain=[JONES] OS=[Unix] Server=[Samba 3.0.3rc1]
smb: \> put CHANGES
putting file CHANGES as \CHANGES (316.4 kb/s) (average 316.4 kb/s)
smb: \> quit
Comment 2 Jon Noack 2004-05-14 16:32:21 UTC
Noticed the change to version 3.0.3:
I can confirm that I still see this issue with 3.0.3.

Again, I am happy to provide logs on request.
Comment 3 Jon Noack 2004-05-19 01:03:05 UTC
Still present in 3.0.4.  I'll attach a level 10 log.  The commands used are
below.  The output of 'testparm -s' is also below.

**********************************************************************
$ whoami
noackjr
$ groups
noackjr wheel fun download cvs
$ cat sig.txt
"Do not worry about your problems with computers, I assure you mine are far
greater." -- Jonathan Noack
$ sudo /usr/local/etc/rc.d/samba.sh start && smbclient //optimator/fun && sudo
/usr/local/etc/rc.d/samba.sh stop
ps: kvm_getprocs: No such process
Starting SAMBA: removing stale tdbs :
/var/db/samba/connections.tdb
/var/db/samba/locking.tdb
/var/db/samba/messages.tdb
/var/db/samba/sessionid.tdb
/var/db/samba/brlock.tdb
Starting nmbd.
ps: kvm_getprocs: No such process
Starting smbd.
Password:
Domain=[JONES] OS=[Unix] Server=[Samba 3.0.4]
smb: \> put sig.txt
NT_STATUS_ACCESS_DENIED opening remote file \sig.txt
smb: \> quit
Stopping /usr/local/sbin/nmbd.
Waiting for PIDS: 49510.
Stopping /usr/local/sbin/smbd.
**********************************************************************
$ testparm -s
Load smb config files from /usr/local/etc/smb.conf
Processing section "[homes]"
Processing section "[web]"
Processing section "[download]"
Processing section "[fun]"
Loaded services file OK.
# Global parameters
[global]
        workgroup = JONES
        server string = Samba Server
        security = SHARE
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 1000
        load printers = No
        os level = 255
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        hosts allow = 127., 192.168.1.

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[web]
        comment = Web Page
        path = /usr/local/www/data
        valid users = noackjr
        read only = No
        create mask = 0644

[download]
        comment = Downloaded Stuff
        path = /usr/home/download
        write list = @download
        force group = download
        create mask = 0664
        directory mask = 0775
        guest ok = Yes

[fun]
        comment = Fun Stuff
        path = /usr/home/fun
        write list = @fun
        force group = fun
        create mask = 0664
        directory mask = 0775
        guest ok = Yes
**********************************************************************
Comment 4 Jon Noack 2004-05-19 01:03:26 UTC
Created attachment 520 [details]
tarred and gzipped level 10 log files
Comment 5 Gerald (Jerry) Carter 2004-05-25 06:17:03 UTC
please try the patch in bug 1345
Comment 6 Jon Noack 2004-05-25 07:02:30 UTC
The patch from bug 1345 did not fix this problem.
Comment 7 Guillaume DELVIT 2004-05-26 00:04:34 UTC
I confirm too.
version 3.0.4
exemple :
1/
readonly = yes
write list = @test 
valid users = @test, @temp

--> @test and @temp can't write, 

2/
readonly = no
write list = @test 
valid users = @test, @temp


--> @test and @temp can write ! (normal)

Guillaume
Comment 8 spam99 2004-05-28 21:14:58 UTC
Also, it should be noted that 'read list' does not work correctly either.  If
you have read only = no, then users in 'read list' will have write access
instead of read only access.

It basically appears that the 'read only' attribute overrides both 'write list'
and 'read list' parameters, which it is not supposed to do (according to the docs).
Comment 9 Gerald (Jerry) Carter 2004-07-21 05:30:54 UTC
*** Bug 1532 has been marked as a duplicate of this bug. ***
Comment 10 Shiro Yamada 2004-07-23 02:49:44 UTC
Created attachment 578 [details]
a patch for checking read list/write list parameters when security=share

I'm not sure whether I am doing the right thing at the right place or
not, but it works for this particular issue.
Comment 11 Shiro Yamada 2004-07-25 18:43:12 UTC
Created attachment 581 [details]
a patch for checking read list/write list parameters when security=share

Actually, the same sort of problem exists for "force user" parameter
and my previous patch did not take account of that.

An example of such configurations would be:

[global]
   security = user
[tmp]
   path = /tmp
   read only = yes
   force user = shiro
   write list = shiro
Comment 12 Gerald (Jerry) Carter 2005-02-08 20:58:05 UTC
*** Bug 1844 has been marked as a duplicate of this bug. ***
Comment 13 Gerald (Jerry) Carter 2005-02-11 07:47:54 UTC
*** Bug 1319 has been marked as a duplicate of this bug. ***
Comment 14 Volker Lendecke 2007-01-16 00:54:47 UTC
Please retry with 3.0.23d. This area has completely changed with 3.0.23, so the behaviour is at least completely different. Feel free to re-open if it does not work for you.

Volker
Comment 15 TAKAHASHI Motonobu 2008-11-29 10:40:08 UTC
Still not fixed in Samba 3.2.4. My smb.conf is:

[global]
  security = share
  passdb backend = tdbsam

[share1]
  read only = yes
  write list = share1rw
  username = share1ro share1rw
  path = /var/lib/samba/shares/tmp
  only user = yes

If we authorized as share1rw, we cannot write.
Comment 16 Jeremy Allison 2008-12-03 19:16:12 UTC
Reopened for 3.2.x and above.
Comment 17 Jeremy Allison 2008-12-03 19:16:52 UTC
Created attachment 3774 [details]
Patch for 3.2.x and above.

This fixes the problem for me. Please test.
Jeremy.
Comment 18 Jeremy Allison 2008-12-03 19:53:23 UTC
Created attachment 3775 [details]
Better patch.

Patch for 3.2.x only. Much better patch, changes less. Still works for me.
Jeremy.
Comment 19 Jeremy Allison 2008-12-03 19:57:02 UTC
*** Bug 5905 has been marked as a duplicate of this bug. ***
Comment 20 TAKAHASHI Motonobu 2008-12-16 09:42:56 UTC
I tested againt Samba 3.2.6 under #15 env. and found this bug is fixed at 3.2.6. 

Thanks!
Comment 21 Karolin Seeger 2009-01-21 09:46:39 UTC
*** Bug 5958 has been marked as a duplicate of this bug. ***
Comment 22 Volker Lendecke 2009-01-25 13:47:33 UTC
Closing -- please re-open if it's still an issue