Project

General

Profile

Bug #11773

Domain admins seem to be exempt from ACLs with smbd

Added by Adam Stylinski 13 days ago. Updated 4 days ago.

Status:
New
Priority:
High
Assignee:
-
Category:
cifs - CIFS server and client
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:

Description

As a domain admin, I get full read/read/execute permission regardless of the ACL set. My dataset currently has aclmode=passthrough and aclinherit=passthrough (not that it should matter). I set ACLs explicitly, both through NFS clients and through Windows' security dialog (both which seem to otherwise take effect for non-DA users), and yet still have full access through Windows as the DA (but not as the DA through Kerberized NFS4).

I would think this is a security bug. The DA should, at the very worst, need to adjust the ACLs, which can generate an audit event.

History

#1

Updated by Jorge Schrauwen 12 days ago

Of intrest, our behavior seems to match the samba bahavior.

If you are part of the 'admin users' property for a share (aka domain admin) you basically ignore all ACLs set when accessing the data via samba.

So that seems to match what is happening here.

#2

Updated by Adam Stylinski 12 days ago

Does this behavior match Windows' behavior? It just doesn't jive with how ACLs usually operate. At the very least, it's inconsistent with NFS4 ACLs, which as you'd imagine, have no notion of a super admin. Does samba do this when joined to a domain rather than explicitly setting an "admin users" list in their local user database?

#3

Updated by Jorge Schrauwen 12 days ago

I believe, if you use the 'net' to add a user or group to the Adminisators or... I forgot the name of the another group, yes... it will have the same behavior.

On the point of ACLs... NFS4 ACLs != Windows ACLs though, they do not map a 100%

#4

Updated by Adam Stylinski 8 days ago

Just tried sharing a file on Windows 10 to another windows host with permission share permissions but an ACL on a file was restricted in such a way that only the owner could do anything with it. I received access denied from the domain admin's access (the file is owned by an otherwise ordinary user).

This is definitely a bug in that it doesn't match Windows' behavior.

#5

Updated by Gordon Ross 8 days ago

We have a fix for this. It's even in the "upstream" queue already.
Just takes time...

#6

Updated by Adam Stylinski 4 days ago

Gordon, can you point me to where these fixes are, or are they in a closed repo? I just want to make sure we're referring to the same bug behavior.

Also available in: Atom PDF