Re: [Samba] Anyone can create empty files (v 3.5.11)
Just a follow up incase someone else runs into this problem. It turns out this was a bug in the cifs driver. I submitted a patch to fix this. http://marc.info/?l=linux-cifsm=131715894203568w=2 regards, dan carpenter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Anyone can create empty files (v 3.5.11)
I've found a solution which is to just chmod o-rwx the dictory so the testuser doesn't have permission to open any files. That way it can't open them with O_CREAT by mistake. I'm still new at Samba but it seems to me like what happens is that: 1) I type touch asdf as testuser on the client. 2) The client doesn't know what permisions asdf has until it opens it. 3) It opens it as dcarpenter, because that's how I mounted the share. 4) The server says Oh, fine. dcarpenter is permitted to open files 5) After doing the open, the client now knows what the permisions are and I don't have permission to open the file. Unfortunately, I already just created it, so the client gives me a permision denied message and closes the file. I haven't looked at this, but it might be possible to fix the Samba client. If the client can see that testuser doesn't have write permision to the directory, it could mask out the O_CREAT flag before sending the open() to the server. regards, dan carpenter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Anyone can create empty files (v 3.5.11)
On Sat, Sep 24, 2011 at 05:04:50PM +0900, TAKAHASHI Motonobu wrote: From: Dan Carpenter dan.carpen...@oracle.com Date: Fri, 23 Sep 2011 09:38:56 +0300 I've mounted my cifs partition with a username and password and to test whether I had my permissions right, I did: $ sudo su testuser $ touch asdf touch: cannot touch `asdf': Permission denied $ It says permission denied, but the `asdf' file is still created. I can't write any data to it, but I can create empty files. How does ls -l asdf? -rw-r--r-- 1 dcarpenter dcarpenter 0 Sep 19 09:45 asdf By default, the permission and owner for a created file is forcibily set on root 644 because CIFS server (Windows server) essentially does not have semantics of permission. That sometimes causes an odd behavior that you have met. Try noperm option as mentioned: https://lists.samba.org/archive/samba/2011-September/163986.html The noperm option means that the client doesn't do permission checks. I enabled it, and that meant that anyone could write to the samba share. That isn't what I wanted. I wanted only the one user to read to be able to write files. But it does show that I didn't understand Samba security before and I was wrong to blame the server for this. It should be prevented in the client side. I'm still trying to figure it out. I'm using a 3.1-rc6 kernel on the client. But it's probably a configuration problem. regards, dan carpenter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Anyone can create empty files (v 3.5.11)
From: Dan Carpenter dan.carpen...@oracle.com Date: Sun, 25 Sep 2011 20:29:24 +0300 On Sat, Sep 24, 2011 at 05:04:50PM +0900, TAKAHASHI Motonobu wrote: From: Dan Carpenter dan.carpen...@oracle.com Date: Fri, 23 Sep 2011 09:38:56 +0300 I've mounted my cifs partition with a username and password and to test whether I had my permissions right, I did: $ sudo su testuser $ touch asdf touch: cannot touch `asdf': Permission denied $ It says permission denied, but the `asdf' file is still created. I can't write any data to it, but I can create empty files. How does ls -l asdf? -rw-r--r-- 1 dcarpenter dcarpenter 0 Sep 19 09:45 asdf By default, the permission and owner for a created file is forcibily set on root 644 because CIFS server (Windows server) essentially does not have semantics of permission. That sometimes causes an odd behavior that you have met. Try noperm option as mentioned: https://lists.samba.org/archive/samba/2011-September/163986.html The noperm option means that the client doesn't do permission checks. I enabled it, and that meant that anyone could write to the samba share. That isn't what I wanted. I wanted only the one user to read to be able to write files. Try setuids option instead of noperm. If setuids is enabled, you can set permissions as usual but remember that those settings are held in *memory*, so once if you umount and mount again, those settings are lost. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Anyone can create empty files (v 3.5.11)
From: Dan Carpenter dan.carpen...@oracle.com Date: Fri, 23 Sep 2011 09:38:56 +0300 I've mounted my cifs partition with a username and password and to test whether I had my permissions right, I did: $ sudo su testuser $ touch asdf touch: cannot touch `asdf': Permission denied $ It says permission denied, but the `asdf' file is still created. I can't write any data to it, but I can create empty files. How does ls -l asdf? By default, the permission and owner for a created file is forcibily set on root 644 because CIFS server (Windows server) essentially does not have semantics of permission. That sometimes causes an odd behavior that you have met. Try noperm option as mentioned: https://lists.samba.org/archive/samba/2011-September/163986.html --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Anyone can create empty files (v 3.5.11)
I've mounted my cifs partition with a username and password and to test whether I had my permissions right, I did: $ sudo su testuser $ touch asdf touch: cannot touch `asdf': Permission denied $ It says permission denied, but the `asdf' file is still created. I can't write any data to it, but I can create empty files. This is because in smbd/open.c if the file doesn't exist and O_CREAT flag is set then it lets you open the file without checking smbd_check_open_rights(). Or am I doing something wrong? I'm using Debian testing (wheezy). regards, dan carpenter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba