Bug 106 - Cannot clear all bits for ACL entries for OTHER or GROUP_OBJ
Cannot clear all bits for ACL entries for OTHER or GROUP_OBJ
Product: Samba 3.0
Classification: Unclassified
Component: File Services
Other other
: P2 normal
: none
Assigned To: Jeremy Allison
: 69 107 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2003-05-22 05:12 UTC by Ken Cross
Modified: 2005-08-24 10:25 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Ken Cross 2003-05-22 05:12:52 UTC
POSIX ACLs require the 3 standard ACEs: USER_OBJ, GROUP_OBJ, and OTHER.  But 
if you clear all the ALLOW and DENY bits in the Security tab for a file, 
Windows doesn't send them at all.

Currently, the ensure_canon_entry_valid routine in posix_acls.c makes sure all 
3 are valid.  If they don't exist, it reads the existing ACE and uses it.

That makes it impossible to, for example, clear all the bits for "Everyone" 
(aka, OTHER).  If you clear them all, Windows doesn't send any OTHER ACE and 
ensure_canon_entry_valid replaces it with whatever was there before; hence 
it's not changed.

There could be a number of ways to resolve this, but the way it is now doesn't 
seem right.
Comment 1 Gerald (Jerry) Carter 2003-05-22 06:44:58 UTC
acl bugs == jra :-)
Comment 2 Ken Cross 2003-05-22 07:23:29 UTC
Duplicate of #69.
Comment 3 Gerald (Jerry) Carter 2003-05-22 08:22:55 UTC
added new CC
Comment 4 Gerald (Jerry) Carter 2003-05-22 08:23:09 UTC
*** Bug 69 has been marked as a duplicate of this bug. ***
Comment 5 Gerald (Jerry) Carter 2003-05-22 08:23:55 UTC
Comments from Waider:

Server is Linux 2.4.20 + libattr + libacl; Samba shares are 
on ext3fs with ACL patches.

The Everyone ACL cannot be set to No Access from NT. The 
instruction appears to be disregarded, since the ACLs on 
the file are unchanged after an attempt to do so.
Comment 6 Gerald (Jerry) Carter 2003-05-22 08:24:54 UTC
consolidating some bugs.  Closed 69 as a duplicate of the one.
Probably bad practice since bug 69 weas older, but I didn't 
think of that in time.  Added original poster of bug 69 to CC list.
Comment 7 Gerald (Jerry) Carter 2003-05-22 14:02:26 UTC
*** Bug 107 has been marked as a duplicate of this bug. ***
Comment 8 Jeremy Allison 2003-06-03 09:59:37 UTC
I have fixed this for 3.0 by not re-reading old ACL entries and just leaving
them as --- when not sent.
Comment 9 Gerald (Jerry) Carter 2005-02-07 07:57:30 UTC
originally reported against 3.0aph24.  Bugzilla spring cleaning.  
Removing old alpha versions.
Comment 10 Gerald (Jerry) Carter 2005-08-24 10:25:02 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.