POSIX permissions failing

Forum » Forum / My Book World Edition (white light) » POSIX permissions failing

Started by:

Arroyo
Date: 21 Sep 2009 00:08
Number of posts: 6

Summary:

I am using users and groups to set permissions to shared folders. Somehow, users that should not have access to certain folders can do it, despite of POSIX permissions.

Unfold All Fold All More Options

Fold

POSIX permissions failing

Arroyo 21 Sep 2009 00:08

I am using users and groups to set permissions to my shared folders, which are accessed via Samba. Somehow, users that should not have access to certain folders can do it, despite of world read being disabled and that they don't belong to the folder's group.

Let's start with the problem. This is one of my folders:

folder /DataVolume/Public/Backup/

drwxr-x---   14 Andre    casa         4096 Aug 12 01:43 A organizar
drwxrwx---    3 Andre    familia        22 Aug 12 01:43 Antigo
drwxrwx---    8 Andre    casa           89 Aug 12 03:07 COBEL
drwxrwx---   12 Andre    familia       146 Aug 12 04:45 Dell Mimi
drwxrwx---    2 arroyo   familia         6 Sep 21 01:46 EE
drwx------    6 Andre    familia      4096 Aug 12 04:48 Inbev
drwxrwx---    2 Andre    familia      4096 Aug 12 04:49 Library B
drwxrwx---    2 Andre    familia      4096 Aug 12 04:49 Library C
drwx------  188 Andre    familia     12288 Sep 14 02:43 Mail

I am trying to access (via samba or just doing cd) folder "A organizar", using username "arroyo".
The user is not part of group "casa", and therefore should not be able to read such folder. But it does.

Some files:

passwd

(...)
admin:x:98:1000:administrator:/shares:/bin/sh
nobody:x:99:1000:nobody:/home:/bin/sh
nfsnobody:x:65534:65534:nfsnobody:/nfs:/bin/sh
jewab:x:500:1000:jewab:/home:/bin/sh
guest:x:501:501:Linux User,,,:/shares:/bin/sh
Andre:x:502:1001:Linux User,,,:/shares:/bin/sh
anarroyo:x:503:1000:Linux User,,,:/shares:/bin/sh
arroyo:x:504:1002:Linux User,,,:/shares:/bin/sh
Mimi:x:505:1001:Linux User,,,:/shares:/bin/sh
gistelinck:x:506:1002:Linux User,,,:/shares:/bin/sh
convidado:x:507:1003:Linux User,,,:/shares:/bin/sh

group

ftp:x:14:ftp
admin:x:98:admin
nobody:x:99:guest
users:x:100:
nfsnobody:x:65534:
jewab:x:1000:nobody
Andre:x:502:Andre
Mimi:x:505:Mimi
arroyo:x:504:arroyo
gistelinck:x:506:gistelinck
casa:x:1001:Andre,Mimi,admin
familia:x:1002:Andre,Mimi,arroyo,gistelinck,admin
convidado:x:507:convidado
convidados:x:1003:Andre,Mimi,arroyo,gistelinck,convidado,jewab,admin

/etc/vsftpd.share_acl

admin=:Public:Download:
Andre=:Public:Download:
anarroyo=:Public:Download:anarroyo:
arroyo=:Public:Download:
ftp=:Public:Download:
Mimi=:Public:Download:
convidado=:Public:
gistelinck=:Public:Download:

Last edited on 21 Sep 2009 00:10 by Arroyo Show more

Reply Options

Unfold POSIX permissions failing by

Arroyo, 21 Sep 2009 00:08

Fold

Re: POSIX permissions failing

TobiMac 21 Sep 2009 10:13

I had similar problems. I guess you set all the users and groups via ssh in a shell. Try setting them in the web-frontend. I'm not quite sure why this is, but it worked for me.

Reply Options

Unfold Re: POSIX permissions failing by

TobiMac, 21 Sep 2009 10:13

Fold

Re: POSIX permissions failing

(account deleted) 21 Sep 2009 12:32

Hi,

I had a similar problem which took me weeks to hunt down.
The reason for this behaviour is, that Western Digital tainted the linux kernel with a patch named 'trustees'. See the project homepage for details.
You can restore normal behavior by executing
/usr/sbin/settrustees -D
on every reboot or editing /etc/trustees.conf
You would want something like
[/dev/md2]/nfs-public:*:U
in there.
Please note, that /etc/trustees.conf as well as other security-relevant files like /etc/exports get reset (i.e. overwritten with the old data) on every reboot !

Since 'trustees' has not been compiled as a kernel module, I could not get completely rid of this f**k.

Hope this helps.

Blip

Last edited on 22 Sep 2009 09:25 by

(account deleted) Show more

Reply Options

Unfold Re: POSIX permissions failing by

(account deleted), 21 Sep 2009 12:32

Fold

Re: POSIX permissions failing

Arroyo 21 Sep 2009 23:58

Thanks Blip,

Including /usr/sbin/settrustees -D in one of the startup scripts solved the problem.

Editing /etc/trustees.conf did not work because that file is also restored on every reboot.

Reply Options

Unfold Re: POSIX permissions failing by

Arroyo, 21 Sep 2009 23:58

Fold

Re: POSIX permissions failing

(account deleted) 22 Sep 2009 09:33

I'm sorry for being a little unprecise with my notice about the system-files being
resetted on every reboot. I've edited my hints - now it should be clearer that
editing /etc/trustees.conf by hand does not help indeed. I have a script that does
something like "cat /path/to/my/modified/trustees.conf > /etc/trustees.conf"
for every stubbornly resetted file as the last thing in /etc/init.d/rcS
The reason for doing so is that I do not trust the box (i.e. the webinterface) to
not calling /usr/sbin/settrustees somewhen later again and then loading the old
permissions …
I'm really thinking about completely disabling the webinterface.

Blip

Reply Options

Unfold Re: POSIX permissions failing by

(account deleted), 22 Sep 2009 09:33

Fold

Re: POSIX permissions failing

wkorosec 03 Dec 2011 16:50

Hi,
this solution worked for me:

I hacked /usr/local/sbin/setTrustees.sh to append the line

/dev/sda4]/shares:+share:RBEX:www-data:RBEX

to /etc/trustees.conf

….
cp ${trustees} ${TRUSTEES_MOD}
cat ${TMP_FILE} » ${TRUSTEES_MOD}

#----- MOD BY WOLFGANG
echo "[/dev/sda4]/shares:+share:RBEX:www-data:RBEX" » ${TRUSTEES_MOD}
#----- END MOD
settrustees -f ${TRUSTEES_MOD}

rm ${TMP_FILE}

#-----

End Script

#-----
….

Reply Options

Unfold Re: POSIX permissions failing by

wkorosec, 03 Dec 2011 16:50

New Post

Hacking WD MyBook World Ed

Main

Browse

FAQs

Page tags

Add a new page

Other interesting sites

PassatB5

Dragon Trees

美國城鎮旅遊網

The Cloudrooms云室维基