Buffalo NAS-Central Forums

Welcome to the Linkstation Wiki community
It is currently Thu Nov 23, 2017 6:26 am

All times are UTC+01:00




Post new topic  Reply to topic  [ 144 posts ]  Go to page Previous 16 7 8 9 10 Next
Author Message
PostPosted: Fri Oct 06, 2006 2:52 am 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Alright here are my result:

Apparently, running Apache as group httpd causes files uploaded through DAV to be completely inaccessible through samba. In experimenting, I changed apache to group hdusers and DAV uploaded files could be read. I set each share with the group sticky bit as Andre suggested. On problem is that DAV uploaded files have rwx-sr-x permissions. I cannot write/delete DAV uploaded files through samba. There does not seem to be a way to change mod_dav file permissions, so I don't know how to force DAV uploaded files to have rwxrwx--- or rwxrwxrwx (as samba gives currently to files) permissions so that users can edit the files locally.

UPDATE: I guess I'm getting too stupid now, the problem was apparently with read-only files. You can't change read-only attributes through group, but through the user. Since the user doesn't access files through samba as the apache user (even though the are in the same group as the apache user) the user can't edit or delete the file. I've really got to get kernel 2.6 compiled now. I'm getting sick of the limited (though strong) unix permissions and trying to make them work on windows enivonments.

_________________
http://www.opifer.net


Top
   
PostPosted: Fri Oct 06, 2006 5:34 am 
Offline
Site Admin
User avatar

Joined: Sun Jul 17, 2005 4:34 pm
Posts: 5332
The permissions have got to be 2770, not 2755! Are you sure the /mnt/hda/* directories have got these permissions?


Top
   
PostPosted: Fri Oct 06, 2006 5:41 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Yep, all /mnt/hda/* directories got 2770 permissions. All files transfered through webDAV got 2755 permissions. I don't get it either. I don't know how mod_dav could even write files with 2755 permissions. All documentation that I've read on mod_dav says that mod_dav appears to grant write access to only the user, so the apache user "httpd" here.

The only other solution I could think of would be to write a script or program that would catch the intended linux UID and spawn new httpd running as the appropriate UID. I've talked to a few buddies that managed to do this, but that is truly not feasible on such a resource restricted LS2. Plus, such a solution is quite messy.

Another solution (though I'd never do this) is to run Apache as root. That way apache could suexec as the appropriate UID when serving DAV directories. I'm sure I don't need to tell you this, but that is VERY BAD as a hacker could then gain complete access to my system.

I was considering writing in the shutdown script "chmod 2770 -R /mnt/hda/<share>", but then this would not be realtime (and my LS2 isn't configured to reboot that often during normal operation.

I also suppose I could look at mod_dav.c and see how and why files are getting 2755 permissions and possibly hack mod_dav to set 2770 permissions.

Using the wonderful Google, it appears that if I can find a way to force mod_dav (actually Apache) to give *nix login users write permissions to files, I'd be the first.

Thank you though Andre. IMHO, you are extremely knowledgeable and I appreciate all your help.

_________________
http://www.opifer.net


Top
   
PostPosted: Fri Oct 06, 2006 8:20 pm 
Offline
Site Admin
User avatar

Joined: Tue Jul 12, 2005 11:26 am
Posts: 3701
Location: JAPAN
Would forcing Samba as root address this problem for you? You can set, in the share, force user = root and this gives all logged on users root permissions. Or will this 'break' what you are trying to do?

_________________
LS used as PVR and streaming source


Top
   
PostPosted: Fri Oct 06, 2006 8:47 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
@lb_worm: Potentially, setting force user = root would fix the write-permissions for DAV uploaded files, but then I would be unable to restrict user1 from accessing user2's private share (at least I think). It's an interesting workaround though, I've gotta work out the logic to see if doing so would really 'break' what I'm trying to do.

If I can manage to still impose user restrictions in Samba while forcing samba as root, I can't really think of any major repercussions since I've blocked samba from the WAN via NAT and those on my LAN I trust (as they're my family members). Though it'd be best to still have the most secure settings, I'd rather trust my family and friends not to hack my box rather than trusting the entire internet by running Apache as root.

Thanks for the incite.

_________________
http://www.opifer.net


Top
   
PostPosted: Fri Oct 06, 2006 10:37 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Wow, lb_worm, your method (along w/ Andre's suggestion) worked. Instead of using force user = root, I added users[1-n] to the list of admin users :
Code:
 admin users = root,user1,user2,user3,user4,user5

.

Adding users as admin users grants users root permissions. Users write files to the shares rood:hdusers through samba. User restictions in samba still remain the same. I honestly don't know if this setting is wise, but I guess I will only know through further testing (i.e. trying to deliberately hack my box).

Please let me know if adding the users to the admin list is extremely unsafe.

It appears now the only issue is with the file-locks (which isn't a huge problem anyway). Basically, files opened in samba can also be opened through webDAV simultaneously (vice versa). I think I can fix that by forcing mod_dav to use the kernel lock system (the file-locking system I believe Samba uses) rather than DBLockfiles. That will take some time as I need to modify mod_dav.c and recompile apache and mod_dav. But as I said, this isn't a major issue since users would rarely if ever use samba and webDAV at the same time. Fixing the file-locks is more like precaution rather than a functionality fix.

Thank you both very much.

_________________
http://www.opifer.net


Top
   
PostPosted: Sat Oct 07, 2006 5:27 am 
Offline
Site Admin
User avatar

Joined: Tue Jul 12, 2005 11:26 am
Posts: 3701
Location: JAPAN
Samba uses lock files when it opens them up which is probably why you can n see this.

Using force user = root is only applicable to that persons settings. As you say though, it will mean that the user can navigate anywhere.

What version of Samba are you using? Samba access has changed with the move to 3.x

_________________
LS used as PVR and streaming source


Top
   
PostPosted: Sat Oct 07, 2006 7:27 am 
I wouldn't use samba and dav on the same shares. DAV is excellent but it isn't a distributed file system. If there are many writes from samba then you could have issues


Top
   
PostPosted: Sun Oct 08, 2006 11:04 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
lb_worm wrote:
What version of Samba are you using? Samba access has changed with the move to 3.x

I'm using the original samba 2.2.8 (I haven't update to 3 yet, I heard it's a resource hog).

dc2447 wrote:
I wouldn't use samba and dav on the same shares. DAV is excellent but it isn't a distributed file system.


Yeah, I know. As I stated in a previous post, samba and dav should not have access to the shares mainly for two reason:
1) DAV (unlike Samba, ftp, etc.) does not read/write files as a login *nix user, but rather the user the as the webservers user; though technically, webDAV is what does this. It is possibly to write a DAV server that can read/write to the linux file system as login *nix users. But as I noted earlier, doing so is a hassle and a resource hog because of all the child dameons needed.

2) The other reason is the file locking. File locking is not imposed in DAV, it's left up to the client (i.e. frontpage) to use them. Also, the file locks are not done through the kernel processes, but rather through DAV server itself. For example, windows locks files when you open a file (not the executable opening the file), but here, DAV places the file locks, not the OS.

This being said, I know that using samba and dav really should be separate, but I'm trying to perform at decent work around until I can find a better method (i.e. ACLs perhaps). That is why I have setup samba and dav to write files to the shares in a manner that both samba and Apache can read/write to the shares (so basically take care of issue 1). Issue 2 is only becomes a serious issue when samba and Apache are reading/writing to the same file simultaneously. Though not ideal, this would occur rarely do to the manner in which my users use the Linkstation. Even still, I will attempt to create a fix here.

dc2447 wrote:
If there are many writes from samba then you could have issues


I believe I addressed the issues you were implying, but would you mind telling me specifically what you meant? Are there other problems that have not been addressed.

Thank you both for your comments and insite.

_________________
http://www.opifer.net


Top
   
PostPosted: Mon Oct 09, 2006 5:07 am 
Offline
Site Admin
User avatar

Joined: Tue Jul 12, 2005 11:26 am
Posts: 3701
Location: JAPAN
The later version of samba addresses the ACL issues but then you need kernel mods to for it to function properly.

_________________
LS used as PVR and streaming source


Top
   
PostPosted: Mon Oct 09, 2006 3:20 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
lb_worm wrote:
The later version of samba addresses the ACL issues but then you need kernel mods to for it to function properly.


That's interesting. I'll definitely have to look into this. One problem though is the "kernel mods". I don't think this can be easily done on the LS2's mips platform. I don't believe any here has done this successfully since no one has yet managed to compile a kernel for the LS2. This is sort of off topic, but a side-project of mine is trying to cross-compile the kernel for LS2 through on a x86 version of Linux. As you know, this is poses many issues and is very unreliable. I am waiting until I purchase another LS2 or an LS Pro (I'd do so once it's been successfully fully opened/hacked). I don't want to destroy my LS2 as I have a lot of Data on it.

If I can manage to compile a successful kernel 2.6 for the LS2, I then can correct the permissions issues 1 and 2 more fully.

Thanks for your help

_________________
http://www.opifer.net


Top
   
PostPosted: Mon Oct 09, 2006 7:33 pm 
Offline
Site Admin
User avatar

Joined: Sun Jul 17, 2005 4:34 pm
Posts: 5332
It's sure getting interesting... I set up WebDAV on Lighty 1.4.11-backports and found no matter what the file permissions were, it would only work when the the web server user had write permissions; plus I found everything was set to 700/600 (I only had a user auth file, a group auth file might or might not have led to different results).

In conclusion, you could do is put the smbd and the http server run under the same user. Everything else would be a matter of getting the webdav and samba user setup in sync.

A somewhat better approach would be to set the correct umask, and the 'group' approach. Which still wouldn't solve the locking issue.


Top
   
PostPosted: Mon Oct 09, 2006 10:33 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
I only had a user auth file, a group auth file might or might not have led to different results

I don't think this will make much of a difference. I still haven't found where in the source these permissions are set, but according to the RFC draft responsible for the webDAV protocol (I don't remember what number, look at webdav.org), these permissions are suggested until the ACL for webDAV is finalized. So, I'm pretty sure that it does not matter, webdav will still write files the w/o group write permissions.

I read something interesting though in the development of webDAV, there is work to finalize the protocol so that it webDAV CAN read/write as *nix login users (doing so through apache). I didn't read it very carefully though, but I suspect it would be done by creating a webserver mod that can spawn new apache/lighty deamons as *nix users. I don't know when we can expect the draft to be finalized or even when mod_dav would implement the new draft. I suppose that the developers at IETF are still working on a method to make the child daemons as safe as possible. Who knows, I guess we have to wait and see.

Until then, we'll have to just deal with the current limitations.

andre wrote:
In conclusion, you could do is put the smbd and the http server run under the same user.

Would doing this really force samba and the webserver to read/write as the same user? Files written by samba are written as the *nix user, not the smbd user.

andre wrote:
A somewhat better approach would be to set the correct umask, and the 'group' approach.


I think you're right. Right now the only reliable way I found to get samba and webdav to cooperate with permissions is to give samba users root permission (and keep samba user restrictions though) by adding them to users to the admin list in smb.conf. Then, have apache run under the samba user group. Finally, like you suggested previously, set the GID sticky bit to the shares. So, though not ideal, this is somewhat of a combination of your two stated methods. Note: I could not get samba and webdav to cooperate when apache ran under a separate group httpd. It seems that even though the Apache user may belong to both group httpd and the samba user-group, apache will write files as the group specified in httpd.conf. I don't know if this is the same with lighty.

I think that the webDAV locking issue can be solved by forcing webDAV to use the same file locks as Samba. I'm still trying to figure out exactly how samba locks the files. As lb_worm stated, samba does use file locks. Of course, doing so would not at all help the file locking issue universally (i.e. may have locking issue with another prog other than samba), but it should resolve some issues. It seems that mod_dav created the file locks mechanism simply with Apache in mind. They did not create mod_dav to cooperate with other true distributed-file-systems like smb or ftp. Nevertheless, I can't find anything in the drafts suggesting that using kernel-based file locks can't be done.

On windows, the file-locking issue can be fixed simply because webDAV uses windows oplocks (Deny-Mode) and so does smb (Windows Networking, I don't mean Samba here). So users can easily setup network shares and webDAV to cooperate. Also, webDAV for IIS uses more intricate permissions settings which would probably fix the permissions issue completely (I'm not sure here as I haven't really used DAV other than on the LS). Unix based systems are tougher. It seems that kernel 2.6 supports oplocks and the locking issue would be easier to fix. Andre, you'd probably be the best to answer this.

Also, anyone know where the default lock directory for samba is on the LS2? I think it's in /mnt/ram/var/spool/samba but I'm not sure as it's not specified in smb.conf

So, finally, I don't think there much more we can do write now about Issue #1, but as for file locking, I suggest that webDAV be forced to use the same locking mechanism Samba recognizes.

Thanks Andre for testing this.

_________________
http://www.opifer.net


Top
   
PostPosted: Mon Oct 09, 2006 11:47 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
I forgot to say, I think that I believe the lock database for webdav is just a list of files in ASCII that are lock. If samba is capabable of understanding the list, it would be likely that samba and webdav use the same lock database (a better approach would be for both to use kernel oplocks -- but that's not exactly possibly on the LS2, at least I don't think so). Using the same database should force samba to respect webDAV locks and vice versa.

_________________
http://www.opifer.net


Top
   
PostPosted: Tue Oct 10, 2006 4:46 am 
Offline
Site Admin
User avatar

Joined: Sun Jul 17, 2005 4:34 pm
Posts: 5332
jonli447 wrote:
the smbd and the http server run under the same user.
Would doing this really force samba and the webserver to read/write as the same user? Files written by samba are written as the *nix user, not the smbd user.


That's the point, isn't it. All my webdav files here are www-data: and [d]rw[x]------. Everything above this level must be handled by Apache or Samba, to my understanding.

jonli447 wrote:
It seems that even though the Apache user may belong to both group httpd and the samba user-group, apache will write files as the group specified in httpd.conf


One group is the primary group. You can adjust that (on the system level). And you can also change the group in the configuration files. So you've got everything you need?

As a side note, lighty 1.4.12 features (experimental) webdav locking. Haven't tried this version myself.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 144 posts ]  Go to page Previous 16 7 8 9 10 Next

All times are UTC+01:00


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited