zfsacl problem with share permissions set from Computer Management

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

zfsacl problem with share permissions set from Computer Management

Samba - General mailing list
I'm using zfsacl on samba 4.6.6 on FreeBSD. File system ACLs work correctly, and Computer Management allows me to set share permissions (permissions are updated and displayed back correctly), but access doesn't appear to honor the configured share permissions. For example, users with file level ACLs that grant write permission are allowed to write even when share level permissions only grant read access to "Everyone".

I noticed a comment on a FreeNAS discussion that seems to indicate that zfsacl is incompatible with permissions stored in share_info.tdb:

"Caveat: It appears that samba will evaluates share_info.tdb and ZFS ACLs out of order. ZFS ACLs are given precedence. This means that administrators may need to disable the zfsacl vfs module in order for samba to properly use share_info.tdb to control access to shares."

This is in a post from December 2015:
https://forums.freenas.org/index.php?threads/cifs-smb-samba-tips-and-tricks.34995/​

I didn't find any bug report related to this. Is anyone aware of this issue or a work-around?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: zfsacl problem with share permissions set from Computer Management

Samba - General mailing list
On Thu, Aug 10, 2017 at 11:13 AM, Joe Frank via samba <[hidden email]
> wrote:

>
> I didn't find any bug report related to this. Is anyone aware of this
> issue or a work-around?
>
>
The workaround may be to have the client log out and log back in after
making the changes. :-)  I just tested on a FreeBSD system. The permissions
work as expected once the client establishes a fresh connection.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: zfsacl problem with share permissions set from Computer Management

Samba - General mailing list
> The workaround may be to have the client log out and log back in after


> making the changes. :-)  I just tested on a FreeBSD system. The permissions
> work as expected once the client establishes a fresh connection.


It appears that when a user has SeDiskOperatorPrivilege​ they always have full access regardless of the share permissions. When I attempt access using credentials without SeDiskOperatorPrivilege, the share permissions block access.
   
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: zfsacl problem with share permissions set from Computer Management

Samba - General mailing list
On Fri, Aug 11, 2017 at 9:27 AM, Joe Frank via samba <[hidden email]>
wrote:
>
>
> It appears that when a user has SeDiskOperatorPrivilege​ they always
> have full access regardless of the share permissions. When I attempt access
> using credentials without SeDiskOperatorPrivilege, the share permissions
> block access.


Great! I'm glad you figured it out!

If you think about it another way, this is a way to keep admins from
locking themselves out of shares. By the way, there is a similar
anti-foot-shooting mechanism with ZFS ACLs. The owner of a file will always
be able to change the permissions of the file. I.e., if you run the command
"setfacl -m everyone@:C::deny foo", the owner of "foo" can still edit ACL
for "foo".
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba