Bug 10792 - Wrong behaviour for default ACLs
Summary: Wrong behaviour for default ACLs
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.0.21
Hardware: All Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
: 6042 8332 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-09-02 09:53 UTC by Dennis Verspuij
Modified: 2015-01-06 04:54 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dennis Verspuij 2014-09-02 09:53:04 UTC
This is a resubmission of bug 8332 from 2011, but it was never fixed and probably long forgotten. My samba version is 4.0.21, but I think all prior and later versions are affected as well. The annoyance is big, I hope one can please fix this, if you need further info let me know!

I have a Default ACL like this set up on my ext4-Filesystem:

sudo setfacl -R -d -m u::rwx,g::rwx,g:privusers:rwx,o::- data

getfacl looks like this:

# file: data/
# owner: lobo
# group: privusers
user::rwx
group::rwx
group:privusers:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:privusers:rwx
default:mask::rwx
default:other::---


when I now create a directory directly on the filesystem (without samba) the
acl is correctly applied and inherited:

mkdir test
getfacl test

# file: test/
# owner: lobo
# group: users
user::rwx
group::rwx
group:privusers:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:privusers:rwx
default:mask::rwx
default:other::---


when I create a file inside this folder in directly on the server, the acl
works as expected:

touch test/testfile
getfacl test/testfile
# file: test/testfile
# owner: lobo
# group: users
user::rw-
group::rwx                      #effective:rw-
group:privusers:rwx             #effective:rw-
mask::rw-
other::---


but when I create a file on my mounted folder on Windows 7 the acl looks like
this:

getfacl test/testwindows
# file: test/testwindows
# owner: grmuser
# group: privusers
user::rwx
group::rwx
group:privusers:rwx
mask::rwx
other::---

so everybody gets unnecessary X-permissions


my Samba-Config looks like this:

[grmdata]
path = /media/grmdata/smbshare
public = no
comment = grm-files
inherit permissions = Yes
inherit acls = Yes
available = yes
browseable = yes
guest ok = no
writable = yes
valid users = grmuser popcorn
read list = popcorn
vfs objects = /usr/lib/samba/vfs/recycle.so
                        recycle:repository=.recycle
                        recycle:versions=True
                        recycle:touch=True
                        recycle:keeptree=True
                        recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*
                        recycle:exclude_dir=/tmp|/temp|/cache
                        recycle:directory_mode=750

Comment 1Paul Barker 2012-08-28 13:04:54 UTC 
I have this exact problem: With ACLs enabled, files are being created with mode
0670 despite the create mask being 0660. This results in the ACL 'mask::rwx'
and the execute bit being set where it shouldn't be.

This bug also appears to be a duplicate of bug 6042.

This is a fresh install of Openfiler ESA 2.99.1 running Samba 3.5.6.

Here is my samba config as displayed by testparm:

[global]
        workgroup = BETAFIVE
        realm = BETAFIVE.CO.UK
        server string = Openfiler NAS
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        password server = 192.168.0.40
        guest account = ofguest
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
        unix password sync = Yes
        log file = /var/log/samba/%m.log
        max log size = 0
        load printers = No
        os level = 0
        local master = No
        domain master = No
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        template homedir = /mnt/vg0/users/users/%U
        template shell = /sbin/nologin
        winbind cache time = 15
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        create mask = 0660
        force create mode = 0660
        security mask = 0660
        directory mask = 0770
        force directory mode = 0770
        directory security mask = 0770
        map archive = No

[users]
        comment = users
        path = /mnt/vg0/files/users
        read only = No
        hosts allow = 192.168.0.0/24
        veto files = /*:Zone.Identifier:*/
        veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/

Any further details can be provided on request.
Comment 1 Jeremy Allison 2014-09-03 15:02:03 UTC
This is due to the different umasks in your normal environment, and in smbd.

smbd has a umask of 0, and so will not mask off any group bits when inheriting an ACL.

Look at your default ACL on the dir:

# file: test/
# owner: lobo
# group: users
user::rwx
group::rwx
group:privusers:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:privusers:rwx
default:mask::rwx
default:other::---

Now when you create a file via smbd, you get exactly what the default entries suggest you should get - i.e.:

# file: test/testwindows
# owner: grmuser
# group: privusers
user::rwx
group::rwx
group:privusers:rwx
mask::rwx
other::---

Remember, the "security mask" and "directory mask" parameters were removed for Samba 4.0.x.
Comment 2 Dennis Verspuij 2014-09-03 15:28:56 UTC
(In reply to comment #1)

Hi Jeremy, thanks for your comment, though I do not see how this helps me fix this inconsistence. What do I need to change to make the effective permissions resulting through Samba be the same as on the command line? Change the umask of smbd? I want these effective permissions by any means:

# file: test/testwindows
# owner: lobo
# group: users
user::rw-
group::rwx                      #effective:rw-
group:privusers:rwx             #effective:rw-
mask::rw-
other::---
Comment 3 Jeremy Allison 2014-09-03 15:30:01 UTC
Change the inheritable permissions on the containing directory.
Comment 4 Björn Jacke 2014-09-04 10:54:24 UTC
*** Bug 8332 has been marked as a duplicate of this bug. ***
Comment 5 Björn Jacke 2014-09-04 12:34:35 UTC
*** Bug 6042 has been marked as a duplicate of this bug. ***
Comment 6 Dennis Verspuij 2014-09-04 12:43:22 UTC
(In reply to comment #3)
> Change the inheritable permissions on the containing directory.

You mean the default acl permissions? I can't set those to rw- because then any created subdirectories will default to be inaccessible. The point here is that files create on the command line yield mask::rw- while those created through samba yield mask::rwx, and that is incorrect. How can I ensure that mask::rw- will be effective for files created through Samba?
Comment 7 Scott Gillespie 2014-12-05 22:22:32 UTC
(In reply to Dennis Verspuij from comment #6)

Has there been any followup on this? I'm experiencing the exact same problem and have not been able to resolve it. I'm running 4.1.6+dfsg-1 on Ubuntu 14.04LTS

Thanks.
Comment 8 Dennis Verspuij 2014-12-09 09:31:50 UTC
(In reply to Scott Gillespie from comment #7)
Unfortunately not, and I haven't been able to workaround this either, I learned to live with it and manually correct ACL every now and then.

Samba's behaviour is inconsistent with any other means mangling with ACL, but too bad the developers just seem to ignore this fact.
Comment 9 ryan2980 2015-01-04 23:10:05 UTC
I also have this issue and I've seen people report it as a bug on other lists as far back as 2007.  Ex:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410048

Even if it's the intended behavior it's confusing.  Jeremy, can you elaborate on what you mean by "change the inheritable permissions on the containing directory."  I'd like to get things to work like Dennis describes in comment 2.

What exactly is create mask doing when ACLs are being used?