Re: Dynamic groups (was Samba and groups > 16)
On Mon, Mar 07, 2005 at 12:54:55PM -0500, David Collier-Brown wrote:[color=blue]
> I try to read /tmp/foo via samba, but the open fails with EACCES.
> A stat of the file returns
> -rw-r--r-- 1 n1sps n1sps 0 Mar 7 12:45 /tmp/foo
> Samba looks in my long list of (AD) groups, finds n1sps, sees
> it is NOT in my active groups list and substitutes it for pwrtl.
> It then retries, and if it's a read request succeeds. If it's
> a write request it gets EACCESS again, but this time I'm already
> in the right group, so samba returns -1, errno=EACCESS.[/color]
Fine. This might work in the simple case without ACLs. Or worse: You're
currently not in group n1sps, but the mode is 707. According to AD you should
be denied access as AD says you're in group n1sps, but you are granted access
now, as the mask for "others" applies. Ouch. So it ends up as a complete
user-space implementation of access controls which is racy at best. With Posix
ACLs which are necessary in all but the simplest environments this only gets
worse. It's not only a stat() call per file system access but a complete
reading of the ACL.
Sorry, but jerry is right: Fix your OS.
> Which means that only Linux can be used for large sites!
> Which is cool for Linuxians, but a bummer for anyone using
No, this is *not* limited to Linux. This is limited to all operating systems
that have removed this silly and unnecessary limit.