Attachment 4350 Details for Bug 6507 – bug text as attachment

bug text as attachment

samba_acls.txt (text/plain), 4.11 KB, created by Peter Rindfuss on 2009-06-25 09:53:30 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Peter Rindfuss

Created: 2009-06-25 09:53:30 UTC

Size: 4.11 KB

patch

obsolete

>We have Samba 3.3.6 with ACLs on OpenSuse 11.0 (PDC/BDC with OpenLDAP).
>Clients are WinXP Pro SP3. Winbindd ist not used.
>
>
>I have noticed some problems with ACLs and their inheritance. I first saw this with Samba 3.3.5/3.3.6, but I found out it also exists in 3.2.7, our previous version. I think it is serious because it caused a security hole here.
>
>I apologize for the lengthy text but I think it is necessary to explain the circumstances. I add it as an attachment to give a chance to better read the ACL tables.
>
>
>Given is a folder M:\user\aaa owned by user 'aaa' with primary group 'users'. Windows advanced ACL editor shows
>
>Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
>Allow | Otto Aaa (WZB\aaa)       | Full control | <Not inherited> | This folder only
>Allow | Domain Users (WZB\users) | None         | <Not inherited> | This folder only
>Allow | CREATOR OWNER            | Full control | <Not inherited> | Subfolders and files only
>Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only
>The flag 'Inherit from the parent the permission entries ...' is set.
>
>I think this is as it should be.
>Now I create a subfolder M:\user\aaa\abc. 'abc' gets permissions
>
>Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
>Allow | Domain Users (WZB\users) | None         | <Not inherited> | This folder only
>Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only
>Allow | Otto Aaa (WZB\aaa)       | Full control | M:\user\aaa     | This folder only
>Allow | CREATOR OWNER            | Full control | M:\user\aaa     | Subfolders and files only
>The flag 'Inherit from the parent the permission entries ...' is set.
>
>This is as it should be again though I wonder why the first 3 rows are not shown as 'inherited'.
>
>Now I add user 'bbb' with read & execute permissions to M:\user\aaa with the extra setting 'this folder only'.
>Permissions for M:\user\aaa are now
>Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
>Allow | Otto Aaa (WZB\aaa)       | Full control | <Not inherited> | This folder only
>Allow | Domain Users (WZB\users) | None         | <Not inherited> | This folder only
>Allow | Anna Bbb (WZB\bbb)       | Read&Execute | <Not inherited> | This folder only
>Allow | CREATOR OWNER            | Full control | <Not inherited> | Subfolders and files only
>Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only
>
>Fine again.
>
>Now I create another subfolder M:\user\aaa\xyz
>Permissions for M:\user\aaa\xyz go nuts:
>Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
>Allow | Domain Users (WZB\users) | Full control | <Not inherited> | This folder only
>Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only
>Allow | root (WZB\root)          | Full control | M:\user\aaa     | This folder only
>Allow | CREATOR OWNER            | Full control | M:\user\aaa     | Subfolders and files only
>
>---------------------------------------------------------------------------
>Problem 1: 'Domain Users (WZB\users)' get 'Full control' instead of 'None'
>Problem 2: 'root (WZB\root)' replaces 'Otto Aaa (WZB\aaa)'.
>---------------------------------------------------------------------------
>
>Further observations:
>- Problem 2 only occurs if I create folder 'M:\user\aaa\xyz' as an admin user. If I do it as 'aaa', only problem 1 remains.
>- Nothing bad happens if user 'bbb' is added to folder 'M:\user\aaa' with 'This folder, subfolders and files'.
>- More generally, nothing bad happens, if there is at least one additional user or group in the ACL for 'M:\user\aaa' with 'This folder, subfolders and files', even if user 'bbb' has rights for 'This folder only'.
>
>In the standard log, I found the line
>[2009/06/25 16:32:20,  0] smbd/open.c:change_dir_owner_to_parent(255)
>  change_dir_owner_to_parent: device/inode/mode on directory user/aaa/abc changed. Refusing to chown !
>whenever things went wrong.

Actions: View

Attachments on bug 6507: 4349 | 4350 | 4351