Bug 33785 - Files on Samba 4.x shares not executable any longer without explicit "executable" permission
Files on Samba 4.x shares not executable any longer without explicit "executa...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-2-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on:
Blocks: 35137
  Show dependency treegraph
 
Reported: 2013-12-19 12:28 CET by Arvid Requate
Modified: 2014-07-10 13:33 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2013-12-19 12:28:55 CET
Samba 3.6 and earlier allowed open for execution when execute permissions are not present on a file. This has been fixed in Samba 4.0. This change caused an issue e.g. on Ticket#: 2013072221002032.

Starting with Samba 4.0.10 there is a new share option "acl allow execute always", which instructs smbd to skip the execute bit from the ACL check, re-establishing the old behaviour in this case.

Maybe we should make this configurable per share.
Comment 1 Janis Meybohm univentionstaff 2014-05-09 08:41:42 CEST
2014050921003881

This is a quite invasive change to the behaviour between UCS 3.1 and UCS 3.2 that is not even mentioned in changelog/release notes.

Just to make this clear: "Samba 3" setups are affected too!

Workaround:

-- /etc/samba/local.conf
[global]
  acl allow execute always = True
--


I think we should, at least, add a this to the release notes.
Comment 2 Stefan Gohmann univentionstaff 2014-05-09 09:48:16 CEST
Set to 3.2-2-errata otherwise it is out of my scope.
Comment 3 Felix Botner univentionstaff 2014-06-17 13:22:52 CEST
Added samba/acl/allow/execute/always (default yes) to univention-samba to configure samba option "acl allow execute always" (global).

YAML: 2014-06-17-univention-samba.yaml
Comment 4 Arvid Requate univentionstaff 2014-06-25 17:35:30 CEST
Ok, looks mostly good, for all four tests (s3,s4)x(master,backup,slave,member) it only failed once in the last 26 test runs. That singke failure was an authentication error during the test:

http://jenkins.knut.univention.de:8080/job/UCS%203.2-2%20Autotest%20MultiEnv/SambaVersion=s4,Systemrolle=slave/33/testReport/junit/10_ldap/74schema_update/test/

So verified for now.
Comment 5 Arvid Requate univentionstaff 2014-06-25 17:36:10 CEST
Oops, wrong bug.. ignore the last comment.
Comment 6 Arvid Requate univentionstaff 2014-07-02 15:32:20 CEST
Verified:
 * UCR variable is documented and set to yes on update
 * smb.conf template default is yes
 * A user logged on to a windows client can execute files without x-bit
 * setting the variable to no restores the old behaviour
 * Advisory ok
Comment 7 Janek Walkenhorst univentionstaff 2014-07-10 13:33:56 CEST
http://errata.univention.de/ucs/3.2/140.html