The Samba-Bugzilla – Attachment 4350 Details for
Bug 6507
change_dir_owner_to_parent: acl inheritance bug
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
bug text as attachment
samba_acls.txt (text/plain), 4.11 KB, created by
Peter Rindfuss
on 2009-06-25 09:53:30 UTC
(
hide
)
Description:
bug text as attachment
Filename:
MIME Type:
Creator:
Peter Rindfuss
Created:
2009-06-25 09:53:30 UTC
Size:
4.11 KB
patch
obsolete
>We have Samba 3.3.6 with ACLs on OpenSuse 11.0 (PDC/BDC with OpenLDAP). >Clients are WinXP Pro SP3. Winbindd ist not used. > > >I have noticed some problems with ACLs and their inheritance. I first saw this with Samba 3.3.5/3.3.6, but I found out it also exists in 3.2.7, our previous version. I think it is serious because it caused a security hole here. > >I apologize for the lengthy text but I think it is necessary to explain the circumstances. I add it as an attachment to give a chance to better read the ACL tables. > > >Given is a folder M:\user\aaa owned by user 'aaa' with primary group 'users'. Windows advanced ACL editor shows > >Allow | everyone | None | <Not inherited> | This folder, subfolders and files >Allow | Otto Aaa (WZB\aaa) | Full control | <Not inherited> | This folder only >Allow | Domain Users (WZB\users) | None | <Not inherited> | This folder only >Allow | CREATOR OWNER | Full control | <Not inherited> | Subfolders and files only >Allow | CREATOR GROUP | None | <Not inherited> | Subfolders and files only >The flag 'Inherit from the parent the permission entries ...' is set. > >I think this is as it should be. >Now I create a subfolder M:\user\aaa\abc. 'abc' gets permissions > >Allow | everyone | None | <Not inherited> | This folder, subfolders and files >Allow | Domain Users (WZB\users) | None | <Not inherited> | This folder only >Allow | CREATOR GROUP | None | <Not inherited> | Subfolders and files only >Allow | Otto Aaa (WZB\aaa) | Full control | M:\user\aaa | This folder only >Allow | CREATOR OWNER | Full control | M:\user\aaa | Subfolders and files only >The flag 'Inherit from the parent the permission entries ...' is set. > >This is as it should be again though I wonder why the first 3 rows are not shown as 'inherited'. > >Now I add user 'bbb' with read & execute permissions to M:\user\aaa with the extra setting 'this folder only'. >Permissions for M:\user\aaa are now >Allow | everyone | None | <Not inherited> | This folder, subfolders and files >Allow | Otto Aaa (WZB\aaa) | Full control | <Not inherited> | This folder only >Allow | Domain Users (WZB\users) | None | <Not inherited> | This folder only >Allow | Anna Bbb (WZB\bbb) | Read&Execute | <Not inherited> | This folder only >Allow | CREATOR OWNER | Full control | <Not inherited> | Subfolders and files only >Allow | CREATOR GROUP | None | <Not inherited> | Subfolders and files only > >Fine again. > >Now I create another subfolder M:\user\aaa\xyz >Permissions for M:\user\aaa\xyz go nuts: >Allow | everyone | None | <Not inherited> | This folder, subfolders and files >Allow | Domain Users (WZB\users) | Full control | <Not inherited> | This folder only >Allow | CREATOR GROUP | None | <Not inherited> | Subfolders and files only >Allow | root (WZB\root) | Full control | M:\user\aaa | This folder only >Allow | CREATOR OWNER | Full control | M:\user\aaa | Subfolders and files only > >--------------------------------------------------------------------------- >Problem 1: 'Domain Users (WZB\users)' get 'Full control' instead of 'None' >Problem 2: 'root (WZB\root)' replaces 'Otto Aaa (WZB\aaa)'. >--------------------------------------------------------------------------- > >Further observations: >- Problem 2 only occurs if I create folder 'M:\user\aaa\xyz' as an admin user. If I do it as 'aaa', only problem 1 remains. >- Nothing bad happens if user 'bbb' is added to folder 'M:\user\aaa' with 'This folder, subfolders and files'. >- More generally, nothing bad happens, if there is at least one additional user or group in the ACL for 'M:\user\aaa' with 'This folder, subfolders and files', even if user 'bbb' has rights for 'This folder only'. > >In the standard log, I found the line >[2009/06/25 16:32:20, 0] smbd/open.c:change_dir_owner_to_parent(255) > change_dir_owner_to_parent: device/inode/mode on directory user/aaa/abc changed. Refusing to chown ! >whenever things went wrong.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 6507
:
4349
| 4350 |
4351