Bug 10502 - Samba doesn't respect 'mask' POSIX ACL
Samba doesn't respect 'mask' POSIX ACL
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.1.5
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-18 11:12 UTC by Robin McCorkell
Modified: 2014-03-18 22:25 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robin McCorkell 2014-03-18 11:12:04 UTC
Access control to files with the 'mask' ACL does not work properly. For example, if 'group' is set to have no access on a particular file, members of the same group should not be able to read, write or execute that file. If however the 'mask' ACL is set to full access, yet 'group' still has no access, Samba allows users of the same group to access the file. The same applies for 'other'. Replicating this same test in /tmp on the Linux machine yields the correct results - a member of the same group only gets the permissions defined in the 'group' ACL.

This is an issue, since extended ACLs such as 'user:testuser:r-x' are dependent on 'mask' being permissive enough. This was tested with client Samba version 3.6.3, with both the server and client running Ubuntu 12.04 LTS.
Comment 1 Robin McCorkell 2014-03-18 11:16:52 UTC
To reproduce:

1. Set up a share available to other machines
2. Set up a user (non-Domain Admins to avoid UID mangling issues)
3. Create a file inside the share, with owner not equal to the user but group equal to the user's group
4. Run 'setfacl -m mask::rwx,group::---,other::--- <file>'
5. Optional: Run 'getfacl <file>' to verify that 'group' and 'other' should not be able to access the file, but 'mask' is set to allow all access
6. Connect to share as user
7. Attempt to read/write the file

Expected results:
Access should be denied

Actual results:
Access allowed according to the 'mask' ACL, ignoring the 'group' or 'other' ACL
Comment 2 Jeremy Allison 2014-03-18 22:25:56 UTC
Sorry, I know I'm being dumb but this is not quite explicit enough.

What I'd like to see is:

> 2. Set up a user (non-Domain Admins to avoid UID mangling issues)

Tell me the name of that user.

> 3. Create a file inside the share, with owner not equal to the user but group
> equal to the user's group

Show me the result from ls -l <file> after this command.

> 4. Run 'setfacl -m mask::rwx,group::---,other::--- <file>'

And then show me the result from getfacl <file> as well, also the result from getfacl <containing directory of file>.

> 5. Optional: Run 'getfacl <file>' to verify that 'group' and 'other' should not
> be able to access the file, but 'mask' is set to allow all access

Then tell me who you are logging in as from the Linux box (the username), and show me the results of doing a getfacl </path/to/mounted/file> please.

Thanks,

Jeremy.