The Samba-Bugzilla – Bug 10502
Samba doesn't respect 'mask' POSIX ACL
Last modified: 2014-03-18 22:25:56 UTC
Access control to files with the 'mask' ACL does not work properly. For example, if 'group' is set to have no access on a particular file, members of the same group should not be able to read, write or execute that file. If however the 'mask' ACL is set to full access, yet 'group' still has no access, Samba allows users of the same group to access the file. The same applies for 'other'. Replicating this same test in /tmp on the Linux machine yields the correct results - a member of the same group only gets the permissions defined in the 'group' ACL.
This is an issue, since extended ACLs such as 'user:testuser:r-x' are dependent on 'mask' being permissive enough. This was tested with client Samba version 3.6.3, with both the server and client running Ubuntu 12.04 LTS.
1. Set up a share available to other machines
2. Set up a user (non-Domain Admins to avoid UID mangling issues)
3. Create a file inside the share, with owner not equal to the user but group equal to the user's group
4. Run 'setfacl -m mask::rwx,group::---,other::--- <file>'
5. Optional: Run 'getfacl <file>' to verify that 'group' and 'other' should not be able to access the file, but 'mask' is set to allow all access
6. Connect to share as user
7. Attempt to read/write the file
Access should be denied
Access allowed according to the 'mask' ACL, ignoring the 'group' or 'other' ACL
Sorry, I know I'm being dumb but this is not quite explicit enough.
What I'd like to see is:
> 2. Set up a user (non-Domain Admins to avoid UID mangling issues)
Tell me the name of that user.
> 3. Create a file inside the share, with owner not equal to the user but group
> equal to the user's group
Show me the result from ls -l <file> after this command.
> 4. Run 'setfacl -m mask::rwx,group::---,other::--- <file>'
And then show me the result from getfacl <file> as well, also the result from getfacl <containing directory of file>.
> 5. Optional: Run 'getfacl <file>' to verify that 'group' and 'other' should not
> be able to access the file, but 'mask' is set to allow all access
Then tell me who you are logging in as from the Linux box (the username), and show me the results of doing a getfacl </path/to/mounted/file> please.