From: Anoop C S Date: Fri, 11 Jul 2025 12:30:51 +0000 (+0530) Subject: cephadm: Bind mount /var/lib/samba with 0755 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=50db194bc478a2f017541fae6a84efea2f4eb39a;p=ceph.git cephadm: Bind mount /var/lib/samba with 0755 To start with, all this while, `testparm -s` used to spit out the following lines: . . . WARNING: state directory /var/lib/samba should have permissions 0755 for browsing to work WARNING: cache directory /var/lib/samba should have permissions 0755 for browsing to work . . . Putting aside security sensitive stuff like secrets.tdb inside state directory, others by design are expected to be accessed by configured samba users and thus permissions differ between the directory and its contents. With 0770 we denied the access for others and in certain scenarios this denial resulted in real world problems like failure to close file handles and other not so obvious return statuses. Going by the design and corresponding warning emitted by the `testparm` tool, it is safe and correct to change the mode from 0770 to 0755 while preparing lib-samba bind mount for /var/lib/samba. Fixes: https://tracker.ceph.com/issues/72089 Signed-off-by: Anoop C S --- diff --git a/src/cephadm/cephadmlib/daemons/smb.py b/src/cephadm/cephadmlib/daemons/smb.py index 891e01e112a9..9249194a4ee5 100644 --- a/src/cephadm/cephadmlib/daemons/smb.py +++ b/src/cephadm/cephadmlib/daemons/smb.py @@ -753,7 +753,7 @@ class SMB(ContainerDaemonForm): ddir = pathlib.Path(data_dir) etc_samba_ctr = ddir / 'etc-samba-container' file_utils.makedirs(etc_samba_ctr, uid, gid, 0o770) - file_utils.makedirs(ddir / 'lib-samba', uid, gid, 0o770) + file_utils.makedirs(ddir / 'lib-samba', uid, gid, 0o755) file_utils.makedirs(ddir / 'run', uid, gid, 0o770) if self._files: file_utils.populate_files(data_dir, self._files, uid, gid)