Bug 10647 - inherit acls = yes can ignore the set group id bit
Summary: inherit acls = yes can ignore the set group id bit
Status: NEEDINFO
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.1.7
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-02 18:00 UTC by Tom Schulz
Modified: 2021-05-24 16:27 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Schulz 2014-06-02 18:00:16 UTC 
This problem shows up on both Linux and Solaris.
We have a setup where we want a group of users to be able to work in a common share. To do that I set up a group and made the users members of that group. I made the parent directory have that group as it's group and added an ACL to make sure that everyone in the group could create files there and modify any files there. I set the set group id bit so that any new files would get this group as it's group. I set the share to have inherit acls = yes so that the acl would be inherited and used. But with inherit acls = yes, the set group id bit is not honored.

For instance, for a directory with an ACL of:
# file: ../acltest
# owner: hwdesign
# group: hwdesign
user::rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::r-x

And permissions set as:
drwxrwsr-x+ 6 hwdesign hwdesign 4096 2014-06-02 10:36 ../acltest/

A new folder (directory) is created with the following ACL
# file: test
# owner: schulz
# group: users
user::rwx
user:schulz:rwx
group::rwx
group:users:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:schulz:rwx
default:group::rwx
default:group:users:rwx
default:mask::rwx
default:other::r-x

And the following permissions:
drwxrwsr-x+ 2 schulz users 4096 2014-06-02 10:35 test

Note that the expected and desired group should be hwdesign.
Also, if the directory is accessed as a NFS mount by the Samba server then the set group id bit is lost (not shown above).
Comment 1 Jochem 2014-08-15 22:59:14 UTC 
We have the same problem here on Samba 4.1.11.
Comment 2 Tom Schulz 2015-06-11 15:37:24 UTC 
Ping.
Comment 3 Tom Schulz 2015-08-07 17:10:26 UTC 
Problem also on Samba 4.2.3.
Comment 4 Tom Schulz 2016-02-24 18:57:09 UTC 
The problem still exists on Samba 4.4.0rc3.
Comment 5 Björn Jacke 2021-05-12 10:17:24 UTC 
I think this is unsupported deliberately, am I right, Jeremy?

You can achieve SGID bit similar behaviour via the "force group" parameter also.
Comment 6 Jeremy Allison 2021-05-24 16:26:28 UTC 
Yes, SGID|SUID are stripped off by design once we see a default directory ACL.
Comment 7 Jeremy Allison 2021-05-24 16:27:24 UTC 
Code in master is here:

3825         /*
3826          * Ensure we pay attention to default ACLs on directories if required.
3827          */
3828 
3829         if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) &&
3830             (def_acl = directory_has_default_acl(conn,
3831                                 conn->cwd_fsp,
3832                                 parent_dir_fname)))
3833         {
3834                 unx_mode = (0777 & lp_create_mask(SNUM(conn)));
3835         }

Note the "0777".