Sunday I update two production-servers from 3.4.3 to 3.4.6 (debian-packages) and got a shock: all users have full rights on all shares. By linux login the rights O.K., but samba disobeys system-rights. I experimented some thinks on a test-server. Using other lines in smb.conf and upgrade to 3.5.0 plays no better. Not only shares with xfs-system-acl, also with normal linux-rights on ext3 have the same problem. Only downgrade to 3.4.3 solve my problem. So I hope I can downgrade the production-servers in the late evening to come back to a secure system (in time many open files exist :-(( ) This is a very hard error. With regards Andreas Matthus
I don't know, if ntlm_auth Tool is source of this error.
Please upload your smb.conf file so that we can reproduce this bug ASAP! Volker
Created attachment 5469 [details] smb.conf Hallo Volker, the smb.conf on the test-system is very simple. I expriemented also with inherit permission ... and so on with regards Andreas
And the symptom is exactly what? You connect to share [test] as a non-privileged user and although your unix permissions would prevent this normally, you can still write? Volker
> And the symptom is exactly what? You connect to share [test] as a > non-privileged user and although your unix permissions would prevent this > normally, you can still write? i. e. if permissions on a directory and its files is 770 and owner root.root evrybody with a samba-account can change in and also read, write and create files. Andreas
Weird. Can't reproduce this here. Günther Deschner has some strange results though, still investigating. Volker
Andreas, can you do a write and then post an ls -al of the /test directory ?
(In reply to comment #6) > Weird. Can't reproduce this here. Günther Deschner has some strange results > though, still investigating. It is possible the error comes with system enviroment LANG=de_DE.UTF-8 ? Andreas
(In reply to comment #7) > Andreas, can you do a write and then post an ls -al of the /test directory ? > ls -alR test/ test/: insgesamt 8 drwxrwx---+ 4 root root 29 8. Mär 12:20 . drwxr-xr-x 23 root root 4096 8. Mär 12:23 .. drwxrwx---+ 4 root root 79 8. Mär 14:56 darf drwxrwx--- 2 root root 17 8. Mär 12:37 nicht test/darf: insgesamt 36 drwxrwx---+ 4 root root 79 8. Mär 14:56 . drwxrwx---+ 4 root root 29 8. Mär 12:20 .. -rwxrwx---+ 1 root root 2 8. Mär 12:37 eins test/nicht: insgesamt 4 drwxrwx--- 2 root root 17 8. Mär 12:37 . drwxrwx---+ 4 root root 29 8. Mär 12:20 .. -rwxrwx--- 1 root root 2 8. Mär 12:37 eins ------ By using ACLs also importend: getfacl /test/* getfacl: Entferne führende '/' von absoluten Pfadnamen # file: test/darf # owner: root # group: root user::rwx user:andreas:rwx group::rwx mask::rwx other::--- default:user:andreas:rwx default:mask::rwx default:other::--- # file: test/nicht # owner: root # group: root user::rwx group::rwx other::--- ------------------------ Andreas
Is your user "andreas" in some special group ? Like Administrators or such ?
(In reply to comment #10) > Is your user "andreas" in some special group ? > Like Administrators or such ? > No. id andreas uid=1000(andreas) gid=1000(andreas) Gruppen=1000(andreas),20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev) With samba 3.4.3 it works fine, so this way to search is wrong. with regards Andreas
Ok, sorry to come back again: I don't get this reproduced right now. You seem to be running debian linux, right? Which version of it? Where do you have the samba packages from, or did you compile yourself? Volker
> Ok, sorry to come back again: I don't get this reproduced right now. You seem > to be running debian linux, right? Which version of it? Where do you have the > samba packages from, or did you compile yourself? Yes, it is debian lenny/sid. All packages from ftp.de.debian.org. Running version 3.4.3 from a older backup. apt-cache policy samba samba: Installiert: 2:3.4.3-2 Kandidat: 2:3.4.6~dfsg-1 Versions-Tabelle: 2:3.5.0dfsg-1 0 1 http://ftp.de.debian.org experimental/main Packages 2:3.4.6~dfsg-1 0 500 http://ftp.de.debian.org sid/main Packages 500 http://ftp.de.debian.org unstable/main Packages *** 2:3.4.3-2 0 100 /var/lib/dpkg/status 2:3.2.5-4lenny9 0 500 http://security.debian.org lenny/updates/main Packages 2:3.2.5-4lenny8 0 500 http://ftp.tu-chemnitz.de lenny/main Packages with regards Andreas
Ok, just for the record, with 2764612487697e2e35bede3dbf4f41c1fea0e9c7 *reverted* I was no longer able to reproduce it on fedora12 x86_64. master (and most probably 3.5) have the same issue.
Ok, got it reproduced. Don't know what to say, this is really the worst that could ever happen.... Expect an official announcement VERY soon Thanks for keeping quiet ... Volker
(In reply to comment #14) > Ok, just for the record, with 2764612487697e2e35bede3dbf4f41c1fea0e9c7 > *reverted* I was no longer able to reproduce it on fedora12 x86_64. master (and > most probably 3.5) have the same issue. Arg, pasted wrong hash, sorry Bo :) 246eba3b807e5ce50ee838c51823a9eb44f6b690 is the right one.
Fixed with 3.5.1, 3.4.7 and 3.3.12. Thanks! Volker