File got deleted in samba with read only user

netops · 03-23-2015, 10:31 AM

Hi,

I am using samba-3.4.6 file server on centos-5.8 under winbind authentication with SMBLDAP domain server. Last day I found one of file was missing from a folder, after checking smbaudit log I came to know that file got deleted by a user (abc) that don't have read & write permission on that path. I checked with user (abc) login physically on his system but user (abc) are unable to modify/delete/create any file at that path.

As per my past experience I got smbaudit log correct every time but not sure with this case.

File was missed, smbaudit logged the event but that user (abc) don't have write permission on that folder.

Could you please advise the possible reason for this event.

Thanks and regards,
Shekhar

rtmistler · 03-24-2015, 07:20 AM

It sounds as if you're saying that the log clearly shows that "user abc deleted a file" and when you looked further using two methods, you verified that (a) user abc does not have read, nor write permissions to the specific directory, and (b) you attempted to delete a file as that user, were unable too, and the log indicates that it was attempted, the attempt failed, and why the attempt failed.

Is this correct? If so, it does make no sense.

Can you clarify your description of the problem, because I think it's open to interpretation as to exactly what happened and how you're diagnosing it.

For diagnosis, I would put a test file in that directory and then attempt to access and delete that file as this user.

netops · 03-24-2015, 11:30 PM

smbaudit log pointing that file deleted successfully

Mar 18 14:51:44 cswpp1 smbd_audit: CSW\abc|192.168.xx.xxx|SOFTWARE|unlink|ok|shiftinchargedownload/SplashScreen.dll

and below is ACL permission output of shiftinchargedownload folder. where abc is member of unvdfa group & he has read only rights.

# file: shiftinchargedownload
# owner: CSW\134bis
# group: root
user::rwx
group::r-x
group:CSW\134software:r-x
group:CSW\134unvdfa:r-x
group:BUILTIN\134users:r-x
group:CSW\134adeptsupt:r-x
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:CSW\134software:r-x
default:group:CSW\134unvdfa:r-x
default:group:BUILTIN\134users:r-x
default:group:CSW\134adeptsupt:r-x
default:mask::rwx
default

ther::---

After this event, user abc is unable to create/modify/delete files/folder under shiftinchargedownload.

Please reply in case any information needed to trace this event.

pan64 · 03-25-2015, 04:48 AM

Is this reproducible?