Bug 3449 - hide unreadable option hides too much
Summary: hide unreadable option hides too much
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.21a
Hardware: Other Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL: http://bugs.debian.org/331502
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-25 14:23 UTC by Christian Perrier (dead mail address)
Modified: 2008-12-29 06:08 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Perrier (dead mail address) 2006-01-25 14:23:49 UTC
As explained in the URL, this is Debian bug #331502.:

On a production server that I am maintaining, I use the option "hide
unreadable" to keep unauthorized users from seeing such restricted
directories and files.
It worked perfectly up to version 3.0.11 of samba. Some later version
changed that and version 3.0.14a-3 still hides those directories from
authorized users.
This bug could be related to bug#305747: samba: 'hide special files' option
hides *all* files in 3.0.14a-1

This is actually *not* related to Debian bug #305747 which has been solved by upstream.

I can confirm this bug myself:

smb.conf excerpt:

security=user

[public]
directory mask=0700
browseable=yes
comment=Public
read only=no
create mask=0770
public=yes
path=/var/tmp/samba-test
hide unreadable = yes

root@mykerinos:/var/tmp/samba-test# ls -la
total 4
drwxrwxrwx 2 root      root        26 2006-01-25 06:45 .
drwxrwxrwt 9 root      root      4096 2006-01-25 06:44 ..
-rw------- 1 root      root         0 2006-01-25 06:45 bar
-rw------- 1 spongebob spongebob    0 2006-01-25 06:45 foo


bubulle@mykerinos:~/src/debian/build> smbclient \\\\127.0.0.1\\public
-U spongebob
Password:
Domain=[CC-MYKERINOS] OS=[Unix] Server=[Samba 3.0.21a]
smb: \> ls
  .                                   D        0  Wed Jan 25 06:45:16 2006
  ..                                  D        0  Wed Jan 25 06:44:31 2006

                60675 blocks of size 32768. 30136 blocks available

As you see, what is expected is "spongebob" to see the "foo" file
while he should not see "bar".
Comment 1 schoepf-debian 2006-04-24 10:58:41 UTC
I did some further investigation on this behavior.
Interestingly, some strange combination of client OS and directory name on the server seems to result in this behavior.

Given: Client-OS: Windows 98 SE
Samba 3.0.14 (Debian Sarge)

There's a directory on the server, that's owned be root.somegroup, with permissions of 0770. The user on the client machine is in group "somegroup", primary group is "othergroup".

Now, it seems that as soon as the directory is named "y-something" or "Y-something" everything that would normally appear beneath that group is invisible (it's still accessible, tho).

Now, change the Samba Server version to 3.0.11 and everything will get listed.
Or change the name from "y-something" to "y_something" or "x-something" or "z-something"...

Or: leave the Samba Server at version 3.0.14 and the directory named "y-something" and just used Windows XP (SP2) as the client OS - instead of Windows 98 SE. Same user, but in this combination "y-something" is visible...

So, it seems that either Windows 98 SE sends a different request that causes Samba Version > 3.0.11 to choke on dirs called "y-something" or Samba Version > 3.0.11 changed something that causes Windows 98 SE to choke on dirs called "y-something". And to repeat: it's not just that directory that's hidden, it's everything that would be listed beneath/after/below that directory.

This behavior first appeared in version 3.0.12. 3.0.11 works fine.

Thanks!
Comment 2 erich gutweniger 2007-05-07 08:35:16 UTC
same problem with ACL and hide unreadable option  hides too much

drwxrwx---+ 2 root root  48 May  7 15:28 usera/
sll:/smb/stuffer/tmp # getfacl *
# file: usera
# owner: root
# group: root
user::rwx
user:erich:rwx
group::rwx
mask::rwx
other::---

File usera is not visible to user erich
Comment 3 Christian Perrier (dead mail address) 2008-12-29 06:08:11 UTC
Checking in 3.3.0rc2 and 3.2.5, this bug is no longer here