Remove hard-coded Samba privileges?

[Kevin Hunter Kesling]

Hello Forum,

I've just set up some local user-accounts on our recently purchased FreeNAS box (our organization does not have an AD server), and am attempting to ascertain why all users have certain Samba privileges. For example, one privilege which we decidedly do not want all users to have is the ability to take ownership of any object: SeTakeOwnershipPrivilege. However, I see a number of lines like this in the log whenever smbd starts:

Jul 27 15:39:37 nasbox notifier: Granted SeTakeOwnershipPrivilege to NASBOX.COMPANY\jimbob
Jul 27 15:39:37 nasbox notifier: Granted SeBackupPrivilege to NASBOX.COMPANY\jimbob
Jul 27 15:39:37 nasbox notifier: Granted SeRestorePrivilege to NASBOX.COMPANY\jimbob​

Looking at /usr/local/libexec/nas/generate_smb4_conf.py, I see that these privileges are hard-coded (so there must be a good reason!). As I'd rather not touch random scripts on the machine without a heck of a lot more knowledge of the FreeNAS internals than I have, I wonder:

1. Why are these privileges hard-coded?
2. More importantly, is there a way to remove at least SeTakeOwnershipPrivilege from all but a few CIFS users through the web-interface?

Thanks,

Kevin

 

[anodos]

Hello Forum,

I've just set up some local user-accounts on our recently purchased FreeNAS box (our organization does not have an AD server), and am attempting to ascertain why all users have certain Samba privileges. For example, one privilege which we decidedly do not want all users to have is the ability to take ownership of any object: SeTakeOwnershipPrivilege. However, I see a number of lines like this in the log whenever smbd starts:

Jul 27 15:39:37 nasbox notifier: Granted SeTakeOwnershipPrivilege to NASBOX.COMPANY\jimbob
Jul 27 15:39:37 nasbox notifier: Granted SeBackupPrivilege to NASBOX.COMPANY\jimbob
Jul 27 15:39:37 nasbox notifier: Granted SeRestorePrivilege to NASBOX.COMPANY\jimbob​

Looking at /usr/local/libexec/nas/generate_smb4_conf.py, I see that these privileges are hard-coded (so there must be a good reason!). As I'd rather not touch random scripts on the machine without a heck of a lot more knowledge of the FreeNAS internals than I have, I wonder:

1. Why are these privileges hard-coded?
2. More importantly, is there a way to remove at least SeTakeOwnershipPrivilege from all but a few CIFS users through the web-interface?

Thanks,

Kevin

See git commit here: https://github.com/freenas/freenas/commit/e415a32eb41142ad504c9fedafa679c0e3496a1c

Apparently those rights are needed to allow users to administer permissions through windows. Ability to modify ACLs will still depend on the user / group having "full control" so I don't think that it leaves permissions wide-open. This code also should only affect standalone servers.

 

[Kevin Hunter Kesling]

Huh. I'll have to test that more thoroughly then, because one of the ways I was able to make some changes in the setup as a regular user (without Full Control) was to take ownership. Perhaps I overlooked a detail -- I'll post back if I'm not having brain bit-rot and can in fact recreate this behavior.

Meanwhile, we're a small software company (< 20 employees, currently), and the trust factor is such that we'd like to let employees have "full control" over folders in a share rather than requiring administrative help for random small details -- i.e., let's not make more work for ourselves than we must. Of course, our (apparently varying) definition of full control is that we don't want employees to arbitrarily change ownership of files. My first ham handed approach would have been to remove the SeTakeOwnershipPrivilege from all except administrative users, but given the hard-coding of that and your commit pointer, that's clearly not the best approach.

As ever, I suppose I incorrectly assumed I understood the Windows ACL infrastructure as it pertained to Samba.