Bug 15785 - samba: chdir auditing does not record transitions into subdirectories
Summary: samba: chdir auditing does not record transitions into subdirectories
Status: CLOSED WONTFIX
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.19.6
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-20 14:34 UTC by Aleksandr
Modified: 2025-01-23 21:29 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr 2025-01-20 14:34:43 UTC
Short description
samba: chdir auditing does not record transitions into subdirectories

Steps to reproduce
Create a share, inside it create a folder called test_dir.
Mount the share (for example, to /mnt/share/testshare/), then navigate to /mnt/share/testshare/test_dir.

Expected result
May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4
May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4/test_dir

Actual result
May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4
May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4

smb.conf:
[global]
   workgroup = WORKGROUP
   server string = %h server (Samba, Debian)
   security = user
   map to guest = Bad User
   server role = standalone server
   logging = syslog@1 file
   log level = 10
   log level vfs:10

[testshare]
   path = /srv/samba/testshare
   comment = testshare
   read only = no
   printable = no
   browseable = yes
   create mask = 0777
   guest ok = no
   guest only = no
   valid users = user1
   vfs objects = full_audit
   write list = @everybody
   full_audit:prefix = %u|%I

   full_audit:success = chdir
       #close flistxattr connectpath fstat openat
   full_audit:failure = chdir

   full_audit:facility = USER
   full_audit:priority = INFO
   full_audit:syslog = true
   full_audit:log_secdesc = false

During the refactoring and optimization of samba_vfs, certain operations disappeared. In newer versions, directory traversal is done by different mechanisms. Precisely because chdir is no longer called directly, we do not see directory transitions in the log. Avoiding frequent calls to chdir (the function to change the current directory) helps reduce overhead on updating the process’s current working directory, which is especially important when handling a large number of simultaneous client connections.

Here are the commits related to chdir call optimizations from version 4.13.13 to 4.17.10 (the interval in which logging disappeared):
https://gitlab.com/samba-team/samba/-/commit/84020efb1fed7561259504a3bb36989c58d9996e
https://gitlab.com/samba-team/samba/-/commit/6e6ced4b8cbddd9a04e69cb1865fa75ba7b4f8b7
https://gitlab.com/samba-team/samba/-/commit/688604a423bb4dbb36ea6bc86e629d6ab0c4082d
https://gitlab.com/samba-team/samba/-/commit/5ae2d4e4d0fa3403bd571dbbbbf01cf84ddfa8f2


Please bring back logging of subdirectory changes, thank you!
Comment 1 Aleksandr 2025-01-20 15:10:21 UTC
(In reply to Aleksandr from comment #0)
I want to add to the previous message:

Expected result (verified on Samba 4.13.13, 4.12.5)
May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4
May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4/test_dir

Actual result (verified on Samba 4.19.6, 4.17.12)
May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4
May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4


Effectively, there has been a degradation in audit logging. The “chdir” parameter still exists, but it no longer logs as intended—essentially, it no longer works.
Comment 2 Ralph Böhme 2025-01-20 16:17:51 UTC
If you don't see subdirectory changes, there are simply no subdirectory changes taking place. You can verify this with strace. Newer Samba version use openat2() with RESOLVE_BENEATH hence avoiding chdir() calls.
Comment 3 Volker Lendecke 2025-01-20 16:21:55 UTC
I think the bug is that we in fact don't do the chdir-calls anymore. I don't know if I am willing to put them back in response to this bug report though, this would be a pretty fundamental change.
Comment 4 Jeremy Allison 2025-01-21 00:55:55 UTC
(In reply to Volker Lendecke from comment #3)

We should just document that chdir no longer logs an audit message and move on. Or just close this one as "WONTFIX".

chdir was only used when we didn't have modern open semantics and I'm *really* glad to see the end of it :-).
Comment 5 Aleksandr 2025-01-21 06:11:09 UTC
(In reply to Jeremy Allison from comment #4)

Yes, I understand that during optimization and the change in semantics, chdir calls simply stopped being invoked. But how then can we track transitions to internal directories?
Aside from indirect methods like the create_file parameter.
Samba 4.19.6
Comment 6 Aleksandr 2025-01-21 06:16:35 UTC
I think I can take something from Samba 4.21 and bring it into 4.19... if it can log transitions into nested directories in the audit.
I just need to know what exactly =)
Comment 7 Volker Lendecke 2025-01-21 13:47:11 UTC
What is your real requirement?
Comment 8 Aleksandr 2025-01-22 06:37:44 UTC
I want the transitions into subdirectories of the mounted folder to be recorded in the audit. I showed an example of how it should look earlier. It doesn't necessarily have to be chdir.
Comment 9 Ralph Böhme 2025-01-22 07:04:00 UTC
(In reply to Aleksandr from comment #8)
That's still the case. So if you don't see any corresponding audit messages, there are just no such transitions. See my earlier post for an explanation of this.
Comment 10 Ralph Böhme 2025-01-22 07:06:17 UTC
(In reply to Aleksandr from comment #0)
Also note that changing into a subdirectory on the *client* doesn't translate into a chdir on the server.
Comment 11 Aleksandr 2025-01-22 09:15:15 UTC
(In reply to Ralph Böhme from comment #10)
I understand how it works and that chdir calls are not being made, which is why there are no logs. I don't need to call chdir; I need complete logs in the audit. =)
Comment 12 Ralph Böhme 2025-01-22 09:37:47 UTC
(In reply to Aleksandr from comment #11)
You have all events in the audit log.
Comment 13 Volker Lendecke 2025-01-22 09:56:34 UTC
If what you need to audit is a client-side chdir, then as Ralph said in comment 10: You won't get it. There is no "Current Working Directory" concept in SMB, and the client is free to do it in any number of ways.
Comment 14 Aleksandr 2025-01-23 21:20:08 UTC
(In reply to Volker Lendecke from comment #13)
This is what I wanted to hear. Then the issue is finally resolved, thank you