Re: samba perm

Wed, 09 May 2012 02:04:30 -0700 

On Wed, 9 May 2012, Kosa Attila wrote:

> On Wed, May 09, 2012 at 08:58:57AM +0200, Szima Gábor wrote:
>>
>> A samba nobody-kent csak a /tmp -t, illetve az abbol nyilo, kizarolag
>> nobody tulajdonu konyvtarakat es file-okat hajlando megnyitni, hiaba 777
>> a mod.
>>
>> Mi lehet a megoldas?
>
> Egyelore nem tudom, de esetleg egy
> # testparm -v < /dev/null > full_smb.conf
> eredmenyet megneznem (akar maganba is kuldheted).

conf:

[global]
  workgroup = WORKGOUP
  server string = Teszt
  map to guest = Bad User
  usershare allow guests = Yes
  follow symlinks = yes
  unix extensions = yes
  wide links = yes

[Teszt]
  comment = Teszt
  path = /tmp
  read only = Yes
  guest ok = Yes

testdump:

[global]
         workgroup = WORKGOUP
         server string = Teszt
         map to guest = Bad User
         usershare allow guests = Yes
         idmap config * : backend = tdb
         wide links = Yes

[Teszt]
         comment = Teszt
         path = /tmp
         guest ok = Yes


>> Valamilyen kernel parameterre tippelek.
>
> Miert?

Hirtelen nem ugrik be, de remlik valami jogosultsagi fix, ami nem engedte 
ki a daemonokat talan a home-jukbol, vagy ilyesmi.

Az az orjito, hogy a /tmp -be beengedi (chmod 777, chown root), viszont a 
/tmp2 -be nem (chmod 777, chown root)...

--------------------------------------------------------------------------
drwxrwxrwx  22 root root  4096 May  9 09:54 tmp

smbclient //192.168.2.1/Teszt

smb: \> dir
   .                                   D        0  Wed May  9 09:54:52 2012
   ..                                  D        0  Wed May  9 02:34:40 2012
...
   hello                                        1  Wed May  9 11:00:06 2012
   mc-root                             D        0  Wed May  9 03:01:57 2012
--------------------------------------------------------------------------

smb: \> get hello
NT_STATUS_ACCESS_DENIED opening remote file \hello

# chown nobody /tmp/hello

smb: \> get hello
getting file \hello of size 1 as hello (1.0 KiloBytes/sec) (average 1.0 
KiloBytes/sec)



Viszont:

[Teszt]
  comment = Teszt
  path = /tmp2
  read only = Yes
  guest ok = Yes

drwxrwxrwx  22 root root  4096 May  9 09:55 tmp2

smb: \> sygma@tivadar:~> smbclient //192.168.60.1/Teszt
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> pwd
Current directory is \\192.168.2.1\Teszt\
smb: \> cd xx
smb: \xx\>


strace:

chdir("/tmp2")                          = 0
getcwd("/tmp2", 4096)                   = 6
lstat64("/tmp2/*", 0xbf7feb2c)          = -1 ENOENT (No such file or 
directory)
getcwd("/tmp2", 4096)                   = 6
getcwd("/tmp2", 4096)                   = 6
open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = -1 EACCES 
(Permission denied)


nobody   15574  0.0  0.5  18756  2620 ?        S    10:52   0:00 /usr/sbin/smbd 
-D -s /etc/samba/smb.conf


xyz:/tmp2 # su - nobody
nobody@zyx:~> cd /tmp2/
nobody@xyz:/tmp2> dir
total 4
drwxr-xr-x 2 root root 4096 May  9 10:50 xx

lsattr:

-------------e- ./tmp
-------------e- ./tmp2


Na ezt add ossze. ;)

> Mas kernellel mukodott?

Igen, ugyanaz a samba binaris, ugyanaz a konfig, szinte mindenhol megy.

> Amugy en samba konfigra tippelnek, ha kellene :)

A /tmp es /tmp2 kozott nincs mit elrontani a konfigon.


Tehat: csak a /tmp -be enged be, es csak azokat a file-okat engedi 
olvasni, aminek nobody a tulajdonosa.


                                                                        -Sygma
_________________________________________________
linux lista      -      linux@mlf.linux.rulez.org
http://mlf2.linux.rulez.org/mailman/listinfo/linux

válasz