If a POSIX ACL ends up on a folder with "RW" mode for a group, any user in that group can now create files or folders even though they may not have the Windows Native NT rights to do so. This occurs when using the acl_xattr module.
I don't believe there are any hooks in Samba to invoke the acl_xattr module to verify create rights when creating a file in a folder. It looks like Samba will check the POSIX ACLs (because Linux will disallow creates if the samba daemon doesn't have the rights to create a file when it impersonates the user) but there doesn't seem to be any invocation that checks the Native NT ACLs on a create operation.
1. Create a group in AD Server ( sambatg).
2. Create 2 users sambag1 and sambac1 and make them as a member of sambatg group.
3. Login as sambac1 user and create a folder. Provide read / write files permissions to the sambatg group but don't provide Create subfiles or subfolders permissions to that group. Change any other ACLs that may exist so that the ONLY ACLs that exist on this folder are:
sambac1 -> Full access rights
sambatg -> read/write file rights but don't give it create subfile or create subfolder rights.
4. Login as sambag1 user and create a folder under the folder created in
You will find that although the user sambag1 does not have rights to create a file or subfolder (no rights exist for user sambag1 at all and the group it belongs to does not have create file or create subfolder rights) the operation
succeeds because a POSIX ACL is set on the folder for the group sambatg as "RW".
There doesn't seem to be any checks for create rights within Samba. Because the POSIX ACL is set to "RW", the create operation is allowed even though the lack of Native NT ACLs should cause it to fail.
An easy way to fix this would be to modify the create (open) code path in the acl_xattr module to check the parent directory/folder for valid rights before allowing this create request to succeed.
Samba does have special checks when a file or folder is being deleted but no such checks seem to exist for the creation of a file or folder.
Yes this is correct. The underlying POSIX permissions are the only ones checked on create/mkdir. I'll look into adding this hook inside the acl modules.
We also need to check for SEC_DIR_LIST on opendir() as well. I'm preparing a patch for this for 3.5.0 and master (and will investigate a back-port for 3.4.4).
Created attachment 5034 [details]
Patch that went into master
This is what went into master. I'll look into making this work for 3.4.x.