11448 – vfs_streams_xattr and create mask = 0640 don't play well together

Bug 11448 - vfs_streams_xattr and create mask = 0640 don't play well together

Summary: vfs_streams_xattr and create mask = 0640 don't play well together

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	VFS Modules (show other bugs)
Version:	4.2.3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-08-14 10:40 UTC by Thomas Werschlein
Modified:	2018-08-30 17:48 UTC (History)
CC List:	6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Werschlein 2015-08-14 10:40:07 UTC

Upon setting an xattr from an SMB-client on a directory that is shared with option "create mask = 0640" the directory loses the execute bit for the owner and renders the directory inaccessible.

In practice, this affects OS X users (tested with OS X 10.10.4 as SMB client) that are setting tags on a directory that is shared that way.

I was able to isolate the problem down to the VFS module "streams_xattr" (which is needed when using fruit) and the (non-default) setting of "create mask = 0640". With the default create mask of 0740 you won't encounter the problem.

The problem arises independent of the xattr supporting filesystem (ZFS or ext4) and independent of the SMB client (an "echo myval > mydir:myattr" on a Windows 10 client has the same effect as using an OS X client).

Our test smb.conf for a self-compiled samba 4.2.3 on Ubuntu 14.04 looks like this:

# Global parameters
[global]
	workgroup = MYGROUP
	server string = Samba Server
	server role = standalone server
	log file = /usr/local/samba/var/log.%m
	dns proxy = No
	idmap config * : backend = tdb


[xattr]
	path = /data/xattr
	read only = No
	create mask = 0640
	ea support = Yes
	vfs objects = streams_xattr

The root directory on the linux host is mounted with xattr support:
root@ubuntu:~# mount | grep xattr
/dev/sda1 on / type ext4 (rw,errors=remount-ro,user_xattr)

From an OSX 10.10.4 SMB client the problem manifests as follows:

1. mounting the share from the Finder with address 'smb://10.211.55.3/xattr'
2. create a new directory (from the Finder or from cmd line), the permissions are correct (x flag set for owner)

root@ubuntu:/data/xattr# ls -ld untitled\ folder/
drwxr-xr-x 2 parallels parallels 4096 Aug  7 17:34 untitled folder/

3. add the tag "red" to the newly created folder. Now the x flag is missing for the owner:

root@ubuntu:/data/xattr# ls -ld untitled\ folder/
drw-r-xr-x 2 parallels parallels 4096 Aug  7 17:39 untitled folder/

4. there is no problem with the xattr though as seen from the Mac ...

me@mymac:/Volumes/xattr ls -ld@ untitled\ folder/
drwx------@ 1 thomi  staff  16384 Aug  7 17:34 untitled folder//
	com.apple.FinderInfo	   32
	com.apple.metadata:_kMDItemUserTags	   50

... or directly on the samba server:

root@ubuntu:/data/xattr# xattr -pl 'user.DosStream.com.apple.metadata_kMDItemUserTags:$DATA' untitled\ folder/
user.DosStream.com.apple.metadata_kMDItemUserTags:$DATA:
0000   62 70 6C 69 73 74 30 30 A1 01 55 52 65 64 0A 36    bplist00..URed.6
0010   08 0A 00 00 00 00 00 00 01 01 00 00 00 00 00 00    ................
0020   00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 10 00                                           ...


It appears that streams_xattr is considering the "create mask" when modifiying Alternate Data Streams on directories, while "create mask" is only intended for files (and we don't expect permission changes when modifiying metadata anyway, do we?).

Regards, Thomas