[Samba] Project: writing a vfs module to preverse permissions with MS Office
in [Samba]
|
Prev: [Samba] Question re kerberos and plain password login
Next: [Samba] negative effects of using idmap_tdb in large forest
From: Pierre Carrier on 7 Aug 2010 21:50 Hello list, Short introduction: I'm Pierre, on my non-free time I work for Red Hat in Farnborough, UK. I'm not really using Samba extensively myself, but how could one not love a source tree containing torture.c and weird.c? About that, if anyone can explain what the latter is for, I'd be very interested... "Add the weird charset in 3_0 and build it by default for ./configure --enable-developer" in the git repodidn't hit me. Problem ------- I'd like to write a workaround for "MS Word with Samba Changes Owner of File" http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2615334 A university is using relatively complex POSIX ACLs and the currently provided workaround wouldn't be enough. Approach -------- A VFS module seems like the best way to go: 1) If a file is renamed to a MS Office temporary file, we store its permissions incl. POSIX ACLs 2) If a MS Office temporary file is renamed, we restore the permissions of the corresponding file in 1) if any Given both the renames were made by the same user, I assume no security checks are necessary. Obviously this means I should match the filenames for both MS Office documents and temporary files. A good reason to avoid such this procedure when MS Office is not involved is for example to avoid losing the SUID bit on binaries, even though it's far-fetched. Why this E-mail --------------- I found http://support.microsoft.com/kb/211632 which doesn't cover matching patterns but give examples. However I just reproduced the problem with Microsoft Office 2010 installation on Windows XP (cf logs extracts after my signature) and: - I got filenames without the "~wrd"-like part they always show - It also applies to non-Microsoft file formats, making the list too long At the current stage I therefore intend: - To only rely on the .tmp extension for temporary files - Not to match any pattern for documents MS Office manipulates I'd rather: - Find some clever way to only store permissions of documents renamed by MS Office - Get better patterns to match temporary files How to help ----------- If you want to see this happen, mailing me to mention you could use this vfs module will motivate me :) If you are willing to help, you can do so by providing data from your environment: - Enabling "vfs objects = extd_audit:2" for a share - Provide me with the corresponding logs when you save an existing file on this share "grep vfs_extd_audit" through your recent logs would be enough, no need to prepare them further Ideally, I'd like to get covered: - All versions of Microsoft Office - All versions of Microsoft Windows - All supported file formats? Moreover I'll be targeting/testing on Linux only, so other OSes users will be welcome. Thank you for your time, -- Pierre Carrier log.pierre-a3ca0284.1: vfs_extd_audit: rename old: ./s.docx newname: ../5D1CA1C1.tmp log.pierre-a3ca0284.1: vfs_extd_audit: rename old: ./86A278C0.tmp newname: ./s.docx log.pierre-a3ca0284.2: vfs_extd_audit: rename old: ./Classeur1.xls newname: ./F7C49255.tmp log.pierre-a3ca0284.2: vfs_extd_audit: rename old: ./9E117AA4.tmp newname: ./Classeur1.xls log.pierre-a3ca0284.2: vfs_extd_audit: rename old: ./Classeur1.xls newname: ./CFAF4030.tmp log.pierre-a3ca0284.2: vfs_extd_audit: rename old: ./DB0C8C2B.tmp newname: ./Classeur1.xls log.pierre-a3ca0284.3: vfs_extd_audit: rename old: ./a.odt newname: ../DD33EC9A.tmp log.pierre-a3ca0284.3: vfs_extd_audit: rename old: ./E629A9BD.tmp newname: ./a.odt log.pierre-a3ca0284.3: vfs_extd_audit: rename old: ./a.odt newname: ../4817EFB8.tmp log.pierre-a3ca0284.3: vfs_extd_audit: rename old: ./6F25FD3.tmp newname: ./a.odt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |