Ubuntu
cifs-utils package

Mount of SAMBA share via fstab ignores file permissions and somehow sets its own

Asked by Martin Johannes Dauser

This problem seems to be introduced by one of the latest SAMBA updates of bionic 18.04 and xenial 16.04. Our Debian stretch 9.5 clients operate as expected. The SAMBA server is running RHEL7.5 .

If we mount the SAMBA share via fstab entry, file permissions on the client are altered to allow anybody to read or execute files -- or access directories. It's possible to set file_mode and dir_mode in fstab to mitigate this behaviour, still we'd love to know why it happens.

//server.fqdn/samba /samba cifs noauto,user,username=user,file_mode=0600,dir_mode=0700

Hopefully it's not a bug.

Greetings
Martin

## Debian CLIENT#########

/etc/fstab
//server.fqdn/samba /samba cifs user,noauto,username=user 0 0

$mount /samba
$ls -lah /samba
drwx------+ 2 user group 0 Dez 13 15:39 .
drwxr-xr-x 1 root root 282 Dez 13 14:53 ..
-rw-------+ 1 user group 0 Dez 13 15:39 touch.file

As ACL is set too:

$ getfacl /samba/touch.file
# file: samba/touch.file
# owner: user
# group: group
user::rw-
group::---
other::---

## Ubuntu CLIENT#########

/etc/fstab
//server.fqdn/samba /samba cifs user,noauto,username=user 0 0

$ mount /samba
$ ls -lah /samba
drwxr-xr-x 2 user group 0 Dez 13 15:39 .
drwxr-xr-x 31 root root 4,0K Dez 13 15:46 ..
-rwxr-xr-x 1 user group 0 Dez 13 15:39 touch.file

$ umount /samba
$ ls -lah /samba
drwx------ 2 user group 4,0K Dez 13 15:46 .
drwxr-xr-x 31 root root 4,0K Dez 13 15:46 ..

## RHEL SERVER #########

#ls -lah of server.fqdn:/srv/share/samba/user
drwx------. 2 user group 31 13. Dez 15:39 .
drwxr-xr-x. 9 root adm 4,0K 13. Mär 2018 ..
-rw-------. 1 user group 0 13. Dez 15:39 touch.file

server.fqdn:/etc/samba/smb.conf
[global]

        server string = Samba Server Version %v
        netbios name = server
        netbiosaliases = file
        workgroup = CS

        hosts allow = 127., 192.168.1.0/24

        security = user
        passdb backend = tdbsam
        username map = /etc/samba/usermap
        encrypt passwords = true

        load printers = no
        printcap name = /dev/null
        disable spoolss = yes

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        create mask = 0700
        directory mask = 0700

[samba]
        browsable=yes
        create mask = 0700
        directory mask = 0700
        path =/srv/shares/samba/%u
        writeable= yes

# smbstatus
Samba version 4.7.1
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
1384 user group 192.168.1.51 (ipv4:192.168.1.51:43066) SMB3_02 - partial(AES-128-CMAC)

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu cifs-utils Edit question
Assignee:
No assignee Edit question
Solved by:
Martin Johannes Dauser
Solved:
Last query:
Last reply:
Revision history for this message
Martin Johannes Dauser (feneks) said : 		#2

Hi wesam66,

the problem with the fstab entry is, that you are bound to those permissions and you can't alter them as user.

Another possibility is to create an extra parent ordner and mount the SAMBA share as a subfolder. The parent folder then needs strict permissions, so nobody but the owner may enter this folder or subfolders:

/etc/fstab
//server.fqdn/samba /parent/samba cifs user,noauto,username=user 0 0

# mkdir -p /parent/samba
# chown -r user:group /parent
# chmod 700 /parent

$ mount /parent/samba
$ ls -lah /parent
drwx------ 1 user group 10 Dez 18 15:45 .
drwxr-xr-x 31 root root 4,0K Dez 18 15:45 ..
drwxr-xr-x 2 user group 0 Dez 13 15:39 samba

Of course you can create this parent folder within the home folder too. This will give more leeway to the user. Still this isn't a solution but a mitigation.

Revision history for this message
Martin Johannes Dauser (feneks) said : 		#3

Mitsuketa!

Till now mapping of POSIX/UNIX permissions is only possible with cifs unix extensions. But this one is deprecated as it only supports SAMBA protocol version SMB1.

Per default Debian clients still connect via SMB1 to get correct POSIX permissions, whereas Ubuntu now defaults to SMB3, which means you'll lose mapping of permissions: "Note that when connecting using SMB2 or SMB3 protocols the UNIX extensions are no longer available inside the smbclient command set. This is due to UNIX extensions not yet being defined for the SMB2 or SMB3 protocols." (quoting https://www.samba.org/samba/history/samba-4.1.0.html)

There is a SMB3 POSIX Extension -- but not ready yet. See https://wiki.samba.org/index.php/SMB3-Linux

To regain unix permissions you need to drop to SMB1:

/etc/fstab
//server.fqdn/samba /parent/samba cifs user,noauto,vers=1.0,username=user 0 0

To some extend the problem is solved. Improvements are expected upstream.