I stumbled on something odd. Samba seems to require read permissions on the filesystem on a target folder if I want to move a file to it (not for copying). This goes across Samba versions (2 tested) and underlying file systems (local filesystem with ext4, nfs mount).
Is there some way to get rid of this restriction?
Test case:
Create directory structure as root
su - root
mkdir -p /tmp/samba_test/write_only
chmod 777 /tmp/samba_test
chmod 773 /tmp/samba_test/write_only
Verify directory structure
find /tmp/samba_test -exec ls -ald {} \;
drwxrwxrwx 3 root root 4096 Dez 9 12:44 /tmp/samba_test
drwxrwx-wx 2 root root 4096 Dez 9 12:17 /tmp/samba_test/write_only
Create file as unpriviledged user (access as others)
touch /tmp/samba_test/file
find /tmp/samba_test -exec ls -ald {} \;
drwxrwxrwx 3 root root 4096 Dez 9 13:47 /tmp/samba_test
drwxrwx-wx 2 root root 4096 Dez 9 12:17 /tmp/samba_test/write_only
find: ‘/tmp/samba_test/write_only’: Keine Berechtigung
-rw-rw-r-- 1 www-data www-data 0 Dez 9 13:47 /tmp/samba_test/file
move file to write_only
mv /tmp/samba_test/file /tmp/samba_test/write_only
find /tmp/samba_test -exec ls -ald {} \;
drwxrwxrwx 3 root root 4096 Dez 9 13:49 /tmp/samba_test
drwxrwx-wx 2 root root 4096 Dez 9 13:49 /tmp/samba_test/write_only
find: ‘/tmp/samba_test/write_only’: Keine Berechtigung
check that file is there as root
find /tmp/samba_test -exec ls -ald {} \;
drwxrwxrwx 3 root root 4096 Dez 9 13:49 /tmp/samba_test
drwxrwx-wx 2 root root 4096 Dez 9 13:49 /tmp/samba_test/write_only
-rw-rw-r-- 1 www-data www-data 0 Dez 9 13:47 /tmp/samba_test/write_only/file
So thats how Linux (the Filesystem ext4?) handles it. Write permissions are enough to move a file to a directory that is only writable but not readable.
Now lets do the same from Samba (Version 4.7.6-Ubuntu, Ubuntu 18.04)!
This is the samba configuration:
grep -vE "^([[:blank:]]*[#;]|$)" /etc/samba/smb.conf
[global]
workgroup = <Our_Active_Directory>
netbios name = <Our_Server_Hostname>
security = ADS
realm = <Our_Kerberos_Realm>
encrypt passwords = yes
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[samba_test]
comment = Test
path = /tmp/samba_test
Now access the share in your Windows Explorer, create file2 in your share and try to move it to write_only. You'll receive an error that you need permissions for this task (to make changes to file2), those should be granted by . Even chmod 777 /tmp/samba_test/file2
does not change that.
Copying file2 does work (e.g. hold down CRTL to copy in the Windows Explorer)! (You can verify that it's there on your Linux-Machine)
Same behaviour if I do this with Powershell (Move-Item/Copy-Item).
If you do chmod o+r /tmp/samba_test/write_only
moving a file there works.
Maybe there is a flag to change Samba's behaviour?
I've tested it with protocol version SMB1, SMB2, SMB3_11 and Samba version 4.7.6/3.6.23
Also tested it in a different environment at home with my raspberry pi. SMB3_11, Samba 4.9.5. This is a standalone Samba-Server used as network target for my canon printer.
0 Answers