Users can modify owner's permissions on SMB share of dataset

[Pheggas]

Hello. I will try to describe whole story in detail. At first i was searching for a way to set user's permissions to shared SMB shares on folder level. So let's have User A, B and C. User A is meant to be admin / owner of the dataset so i want to have set full control on that user. Next, User B should have access to only one subfolder within the folder in root path. And finally, User C should have same permissions as User B but on different subfolder.

So i found it can be done via Windows, specifically right click on folder -> Properties -> Security. So i went there additionally clicked on Edit button and saw something i didn't want to. In following screenshot you could see (a mess) weird naming and even more weird permissions.

The user "Syncek" or "TRUENAS\pheggask" is owner of whole dataset so this folder's properties too. I instantly noticed that there is shown not only the owner user but also it's group (at the top, "pheggas (Unix Group\pheggas)"). I have couple of questions right here.

1. Why do owner's group has different domain than owner itself? (Unix Group and TRUENAS)
2. Why there are users / groups CREATOR OWNER and CREATOR GROUP?
3. Where could i set what is the name of that domain TRUENAS?

Now the even more weird part.

On this screenshot you can see that owner "Syncek" has no permissions what so ever. However it does have the "Special permissions" checked and grayed out so can't be changed. Shown here:

The same permission set is on pheggas group and also CREATOR OWNER and CREATOR GROUP. When it comes to "Tatino (TRUENAS\toto)" and "Mamina (TRUENAS\momo)", they both have same permissions and looks like this:

Note that Special permissions is also checked and grayed out. The weirdness on this is, i see the same permission set (like i described above) via every user (so pheggask, Tatino and Mamina users). So technically i could edit owner's all permissions to Deny and basically deny whole access to that dataset by normal user. The same way, i'm unable to uncheck Allow permissions on users from owner's perspective.

TLDR; Owner can't restrict anything but standard user can restrict owner's permissions.
I'm sure you would need to see my TrueNAS settings. I have no problem with that, just write down which screens i should screenshot you.

Thanx everyone that will help and i hope that this will get resolved ASAP as this is really big security concern from my view (as the admin).

 

[anodos]

Hello. I will try to describe whole story in detail. At first i was searching for a way to set user's permissions to shared SMB shares on folder level. So let's have User A, B and C. User A is meant to be admin / owner of the dataset so i want to have set full control on that user. Next, User B should have access to only one subfolder within the folder in root path. And finally, User C should have same permissions as User B but on different subfolder.

So i found it can be done via Windows, specifically right click on folder -> Properties -> Security. So i went there additionally clicked on Edit button and saw something i didn't want to. In following screenshot you could see (a mess) weird naming and even more weird permissions.
View attachment 58582

The user "Syncek" or "TRUENAS\pheggask" is owner of whole dataset so this folder's properties too. I instantly noticed that there is shown not only the owner user but also it's group (at the top, "pheggas (Unix Group\pheggas)"). I have couple of questions right here.

1. Why do owner's group has different domain than owner itself? (Unix Group and TRUENAS)
2. Why there are users / groups CREATOR OWNER and CREATOR GROUP?
3. Where could i set what is the name of that domain TRUENAS?

Now the even more weird part.

View attachment 58583

On this screenshot you can see that owner "Syncek" has no permissions what so ever. However it does have the "Special permissions" checked and grayed out so can't be changed. Shown here:

View attachment 58584

The same permission set is on pheggas group and also CREATOR OWNER and CREATOR GROUP. When it comes to "Tatino (TRUENAS\toto)" and "Mamina (TRUENAS\momo)", they both have same permissions and looks like this:

View attachment 58585

Note that Special permissions is also checked and grayed out. The weirdness on this is, i see the same permission set (like i described above) via every user (so pheggask, Tatino and Mamina users). So technically i could edit owner's all permissions to Deny and basically deny whole access to that dataset by normal user. The same way, i'm unable to uncheck Allow permissions on users from owner's perspective.

TLDR; Owner can't restrict anything but standard user can restrict owner's permissions.
I'm sure you would need to see my TrueNAS settings. I have no problem with that, just write down which screens i should screenshot you.

Thanx everyone that will help and i hope that this will get resolved ASAP as this is really big security concern from my view (as the admin).

Note: security concerns should be raised as a jira ticket in our bug tracker (jira.ixsystems.com).
This is a matter of common courtesy to avoid unnecessarily exposing other users to security issues while things are being worked on.

What version of TrueNAS is this?

1. Why do owner's group has different domain than owner itself? (Unix Group and TRUENAS)

A windows client does not receive Unix usernames over the wire as part of the Windows Security Descriptor sent by an SMB server. The client receives basically a list of SIDs that it then can submit a separate RPC request to convert into names via the LSA-RPC pipe on the SMB server.
We do not map default user primary groups into SMB groups. Unmapped groups have a SID of S-1-22-2. The domain prefix of these gets translated to "Unix Group". Your users _are_ mapped to SMB users, and groups flagged as SMB groups are also mapped to SMB groups. These mapped ones have a prefix of your server's netbios name (TRUENAS).

2. Why there are users / groups CREATOR OWNER and CREATOR GROUP?

These map to the local owner and group permissions (owner@, group@) in NFSv4 ACLs, or User and Group.

Where could i set what is the name of that domain TRUENAS?

That's the netbios name.

this screenshot you can see that owner "Syncek" has no permissions what so ever. However it does have the "Special permissions" checked

If there are "special permissions", then there are permissions. This is just how the windows UI works.

grayed out so can't be changed

This just means your user either (1) lacks permissions or (2) the ACL entry is inherited from the parent and may not be altered without disabling inheritance. This is normal Windows behavior.

TLDR; Owner can't restrict anything but standard user can restrict owner's permissions.

The owner of a dataset's mountpoint is not the owner of every file in the dataset. User creates a file, user owns the file. The owner of a file is defacto super-user as to that file. This is normal behavior in Unix, MacOS, and Windows.

 

[anodos]

If you have additional concerns, please PM me or file a ticket on Jira.

 

[Pheggas]

What version of TrueNAS is this?

It is TrueNAS-12.0-U8.1

We do not map default user primary groups into SMB groups.

Then how it is possible that i see it?

The domain prefix of these gets translated to "Unix Group"

So as SID translated to "pheggas" it also translated the domain to Unix Group, right? And if i understood that correctly, if the owner's group would be mapped, it's domain would change to TRUENAS?

These map to the local owner and group permissions (owner@, group@) in NFSv4 ACLs, or User and Group.

That would answer why those two are there. I kept the ownership permissions on default - created by "restrict" ACL profile.

That's the netbios name.

By quick googling it could be changed in Services -> SMB -> Configure, right?

If there are "special permissions", then there are permissions. This is just how the windows UI works.

So basically TrueNAS isn't 100% in sync with Windows UI? That's why i don't see the same permissions as in TrueNAS UI?

This just means your user either (1) lacks permissions or (2) the ACL entry is inherited from the parent and may not be altered without disabling inheritance. This is normal Windows behavior.

The second seems to be right answer. So i think i need to set the flag to No Inherit although i still don't understand concept of that flag.

The owner of a dataset's mountpoint is not the owner of every file in the dataset. User creates a file, user owns the file. The owner of a file is defacto super-user as to that file. This is normal behavior in Unix, MacOS, and Windows.

Yeah i would understand it if the user which created those folders / files on which i saw the permissions, would be standard user. Not owner. But the catch is i created those folders as owner (that "pheggask") user.

If you have additional concerns, please PM me or file a ticket on Jira.

Thank you and i appreciate it. My security concerns would get resolved if we could fix this issue i described in my first post - Why i can't change standard user's permissions in Windows UI when i'm logged as owner of that files? Second question, Why do i see in Windows UI that i can change owner's permissions to folders / files that created the owner as from standard user's perspective?

At the beginning i just needed to restrict which folders are readable to standard users and which folders they can modify. Now i need to solve this first. Also, i'm a beginner as you may thought. Thank you for your generous reply and looking forward to another one!

 

[anodos]

Then how it is possible that i see it?
So as SID translated to "pheggas" it also translated the domain to Unix Group, right? And if i understood that correctly, if the owner's group would be mapped, it's domain would change to TRUENAS?

Re-read my answer above regarding S-1-22-2-<RID> SIDs.

So basically TrueNAS isn't 100% in sync with Windows UI? That's why i don't see the same permissions as in TrueNAS UI?

It is 100% in-sync. There are nuances to the mapping algorithm than generate duplicate entries for owner@ and group@ to more closely follow Windows conventions regarding CREATOR_OWNER and CREATOR_GROUP.

samba/source3/modules/nfs4_acls.c at c669a8df2f6fb216c205407f668d6cfffd57808f · truenas/samba

Contribute to truenas/samba development by creating an account on GitHub.

github.com

The second seems to be right answer. So i think i need to set the flag to No Inherit although i still don't understand concept of that flag.

No. INHERIT is generally required for ACL entries you want to actually use in places. The purpose of INHERIT is that new files created in the dir will inherit the entry in question.

Yeah i would understand it if the user which created those folders / files on which i saw the permissions, would be standard user. Not owner. But the catch is i created those folders as owner (that "pheggask") user.

No. That's not how things work. If a user creates a file, it owns the file. You can hack the SMB configuration to force inheritance of file owner from parent directory, but it's much better to get used to how the OS works.

Why i can't change standard user's permissions in Windows UI when i'm logged as owner of that files? Second question, Why do i see in Windows UI that i can change owner's permissions to folders / files that created the owner as from standard user's perspective?

Either (1) the user you are authenticated as lacks permissions or (2) you need to disable inheritance for the path in question.

If you want an administrator group to be able to administer permissions, add the group `builtin_administrators` to the dataset's ACL with INHERIT set and FULL_CONTROL, and then make your admin user a member of said group.

 

[Pheggas]

Re-read my answer above regarding S-1-22-2-<RID> SIDs.

Right. So as you don't map default user's primary group. That means it should be S-1-22-2-<RID> before translation and after it, it should translate to Unix Group, which it did so it's perfectly fine.

You can hack the SMB configuration to force inheritance of file owner from parent directory, but it's much better to get used to how the OS works.

I don't need that ability i guess.

Either (1) the user you are authenticated as lacks permissions or (2) you need to disable inheritance for the path in question.

I'm not sure how the first guess could be the answer as i set to my account to have full control over that dataset. So there shouldn't be any kind of lack of permissions. And the second i'm not even sure how to acheive such thing to at least try it.

If you want an administrator group to be able to administer permissions, add the group `builtin_administrators` to the dataset's ACL with INHERIT set and FULL_CONTROL, and then make your admin user a member of said group.

I wasn't sure if it would help my situation but i tried it and, as i could think, it didn't help. I added that group to that dataset to have full permissions (in the basic view tho) and added my main user to that group. However it didn't help so. The thing partially solved my issue is changing the owner@ and group@ to my main user account. That at least did a gray out on checkboxes which is what i wanted.

It still doesn't let me uncheck the boxes on Allow column but it let me to check boxes to Deny column and i can actually save the changes and the changes are applied as they should. Thankfully, the Deny column have bigger priority so even if the Allow column is checked, if the Deny is checked too, it applies the Deny column.

At this point i'm pretty much satisfied but i'd still like to uncheck that Allow column on standard users. Do you have any ideas where could be the issue? Or it is the way how it is done in TrueNAS / Windows and it's not worth to dealing with?