ACL in unprivileged samba CT

[piviul]

Hi all, someone knows if there are problems regarding the acl use in samba hosted by a unprivileged CT?

Piviul

 

[Stefan_R]

Samba uses an authentication system different from linux ACLs, so I don't see where the issue would be. In general, as long as the container doesn't have to access any files from the host via bind mounts or the like, user permissions should never become an issue.

 

[piviul]

Samba uses an authentication system different from linux ACLs, so I don't see where the issue would be.

I mean POSIX ACL filesystem, the "nt acl support" option and his friend in samba; from man smb.conf:

       nt acl support (S)

           This boolean parameter controls whether smbd(8) will attempt to map UNIX permissions into Windows NT
           access control lists. The UNIX permissions considered are the traditional UNIX owner and group
           permissions, as well as POSIX ACLs set on any files or directories. This parameter was formally a
           global parameter in releases prior to 2.2.2.

           Default: nt acl support = yes

In general, as long as the container doesn't have to access any files from the host via bind mounts or the like, user permissions should never become an issue.

In effect I can't understand why samba crash in unprivileged ct but I suspect that it's tied to the mapping between acl (in extended fs attribute) and nt acl. When samba crash in the logs I can see:

[2020/06/25 09:15:53.369257,  0] ../source3/lib/util.c:791(smb_panic_s3)
  PANIC (pid 4071): sys_setgroups failed

There is nobody there that use a file server samba in unprivileged CT with acl mapping between fs and nt enabled?

Piviul