Make ibay files executable

compsos · June 16, 2017, 11:05am

NethServer Version: 7.4
Module: Samba 4.4.4 AD
Need to be able to call exe files from an ibay on Windows clients…

Is this code safe to try?

"mkdir -p /etc/e-smith/templates-custom/etc/samba/smb.conf/
vi /etc/e-smith/templates-custom/etc/samba/smb.conf/11globalexecfix

Paste the smb settings and save the file:

# Allow Windows machines to execute things that don't have
# the execute bit set
`acl allow execute always = True"`

The way I read the effect of this it opens all ibays to code execution. Is it possible to restrict to an individual ibay. Tried templating but that looped the smb.conf file. Manually adjusting the file permission does allow the program to run.

Thanks

dnutan · June 24, 2017, 7:09pm

Hi Gordon! Sorry for late reply.

Your request is similar to this one from @iglqut. Maybe he can give us some advice on his experience.

An option could be to manually set the executable ACL to the desired ibay. In this example we set an ACL for the Domain Users group, on an ibay named sharedfolder:

setfacl -PR -m group:"Domain Users":x /var/lib/nethserver/ibay/sharedfolder/

Another option is to create a custom template that will add (towards the end of the smb.conf file) the execution parameter for a specific ibay:

mkdir -p /etc/e-smith/templates-custom/etc/samba/smb.conf/
vi /etc/e-smith/templates-custom/etc/samba/smb.conf/99ibay_customization

Replace sharedfolder with the ibay name:

# 99ibay_customization:
[sharedfolder]
acl allow execute always = True

Apply the changes:

signal-event nethserver-samba-update

One more option is to create a new ibay profile:
For instance, duplicating the default profile and adding the executable ACL right. In this example the new profile is named executable:

cp -r /etc/e-smith/templates/etc/samba/smb.conf/ibay-default/ /etc/e-smith/templates/etc/samba/smb.conf/ibay-executable/
vi /etc/e-smith/templates/etc/samba/smb.conf/ibay-executable/21profile_executable

# 21profile_executable:
acl allow execute always = True

Then assign the new profile to the desired ibay (replace sharedfolder with your own ibay name):

db accounts setprop sharedfolder SmbProfileType executable

Finally, apply the changes:

signal-event nethserver-samba-update

Do note what the smb.conf manual says about the acl allow execute always parameter:

   acl allow execute always (S)

       This boolean parameter controls the behaviour of smbd(8) when receiving a protocol request
       of "open for execution" from a Windows client. With Samba 3.6 and older, the execution
       right in the ACL was not checked, so a client could execute a file even if it did not have
       execute rights on the file. In Samba 4.0, this has been fixed, so that by default, i.e.
       when this parameter is set to "False", "open for execution" is now denied when execution
       permissions are not present.

       If this parameter is set to "True", Samba does not check execute permissions on "open for
       execution", thus re-establishing the behaviour of Samba 3.6. This can be useful to smoothen
       upgrades from older Samba versions to 4.0 and newer. This setting is not meant to be used
       as a permanent setting, but as a temporary relief: It is recommended to fix the permissions
       in the ACLs and reset this parameter to the default after a certain transition period.


       Default: acl allow execute always = no

I’m not an expert, so if anyone observes security implications or knows better options, please comment.

iglqut · July 3, 2017, 11:51am

We are using the template method. That is working now für 6 month in our system without any troubles, because your independent from modification thru updates.