[rsbac] samba

Arkady A Drovosekov rsbac@rsbac.org
Mon, 4 Mar 2002 17:28:44 +0500

Previous message: [rsbac] Protecting secoff from malicious root
Next message: [rsbac] samba / bugfix
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

thank you all, log problem was located in klogd.
But...
samba on the way:
I tried to assign separate role for samba daemon (smbd) with rw rights
for only one directory.
I've created role and make it forced role for smbd, assign acl for directory
to make read/write possible for new role. I didn't change fd_type of this
directory, so it is a general fd.

And there is a problem: samba can't access this dir.
In logs there is a message:

Mar  4 16:23:16 host kernel: rsbac_adf_request(): request GET_STATUS_DATA, caller_pid 4854, caller_prog_name smbd, caller_uid 0, target-type DIR, tid Device 3:8 Inode 68545 Path /home/user/out, attr none, value 0, result NOT_GRANTED by ACL

If I change acl mask (add RW requests) for /home/user/out then smbd
successfully works.

Why?

roles, rights and masks:

attr_get_file_dir FILE /usr/sbin/smbd rc_force_role
3

acl_rights -l 3 -p FD /home/user/out/
acl_rights: Role 3
/home/user/out/ : 000000000000000110100000011011010010111111110110100
  APPEND_OPEN
  CHANGE_OWNER
  CHDIR
  CLOSE
  CREATE
  DELETE
  EXECUTE
  GET_PERMISSIONS_DATA
  GET_STATUS_DATA
  LINK_HARD
  MODIFY_ACCESS_DATA
  MODIFY_PERMISSIONS_DATA
  READ
  READ_WRITE_OPEN
  READ_OPEN
  RENAME
  SEARCH
  TRUNCATE
  WRITE
  WRITE_OPEN

acl_mask FD /home/user/out/
/home/user/out/: 000000000000000000000000000000000000000000000000000
acl_mask FD /home/user/
/home/user/: 111000000000000111111111111111111111111111111111111
-- 
Best regards,
Arkady

Previous message: [rsbac] Protecting secoff from malicious root
Next message: [rsbac] samba / bugfix
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]