Bug 11505 - vfs_fruit OS X client interprets permissions in different way
vfs_fruit OS X client interprets permissions in different way
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules
4.2.3
All Mac OS X
: P3 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-09 12:54 UTC by Michal Moravec
Modified: 2016-10-25 05:34 UTC (History)
3 users (show)

See Also:


Attachments
Level 10 debug log (410.00 KB, application/zip)
2015-09-09 12:54 UTC, Michal Moravec
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michal Moravec 2015-09-09 12:54:32 UTC
Created attachment 11422 [details]
Level 10 debug log

With vfs_fruit module we are encountering strange behaviour when OS X clients displays file permissions and ACL. Also permissions differ beetween files created when vfs_fruit module is ON and when it is OFF.

Server setup:
Gentoo Linux
Samba 4.2.3
Users in Active Directory
We were able to replicate this problem in 3 diffent AD,Samba enviroments. 
They have shares on different filesystems.
Production - EXT4 filesystem
Testing & Development - Btrfs filesystem

Fruit config (everything left to default):
vfs objects = catia fruit streams_xattr
[NOTE: we also tried to change settings fruit:nfs_aces and fruit:aapl without any visible results]

Client setup:
OS X 10.10.5 with Apple SMBX

Steps to reproduce:

[FRUIT is OFF]
-> mount samba share on OS X client
>> touch nofruit_acl_file
>> ls -lae@ nofruit_acl_file 
-rwx------+ 1 apple  SAMDOM\Domain Users  0 Sep  9 05:07 nofruit_acl_file
 0: user:apple inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 1: group:admin inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 2: group:SAMDOM\Domain Users inherited allow read,execute,readattr,readextattr,readsecurity
 3: user:administrator inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 4: group:SAMDOM\Domain Admins inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 5: user:root inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
>> mkdir nofruit_acl_file
>> ls -laed@ nofruit_acl_dir
drwx------+ 1 apple  SAMDOM\Domain Users  16384 Sep  9 05:08 nofruit_acl_dir
 0: user:apple inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 1: group:admin inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 2: user:apple inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 3: group:owner inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit,only_inherit
 4: group:SAMDOM\Domain Users inherited allow list,search,readattr,readextattr,readsecurity
 5: group:group inherited allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit,only_inherit
 6: user:administrator inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 7: group:SAMDOM\Domain Admins inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 8: user:root inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
-> unmount samba share

-> TURN vfs_fruit ON
-> TURN ON level 10 debug logging

[FRUIT is ON]
-> mount samba share on OS X client
[NOTE: Let's see how permissions look on files we created previously when vfs_fruit was disabled]
>> ls -lae@ nofruit_acl_file 
-rwxrwx---+ 1 apple  SAMDOM\Domain Users  0 Sep  9 05:07 nofruit_acl_file
 0: user:apple allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 1: user:apple allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 2: group:SAMDOM\Domain Admins allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 3: user:root allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 4: group:admin allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 5: group:SAMDOM\Domain Users allow read,execute,readattr,readextattr,readsecurity
 6: group:SAMDOM\Domain Users allow read,execute,readattr,readextattr,readsecurity
 7: group:SAMDOM\Domain Admins allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 8: user:root allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 9: group:admin allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 10: user:administrator allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 11: group:everyone allow 
>> ls -laed@ nofruit_acl_dir
drwxrwx---+ 1 apple  SAMDOM\Domain Users  16384 Sep  9 05:08 nofruit_acl_dir
 0: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 1: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 2: group:SAMDOM\Fo allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 3: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 4: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 5: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit
 6: group:SAMDOM\Domain Admins allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 7: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 8: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 9: user:administrator allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 10: group:everyone allow file_inherit,directory_inherit
 11: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity
 12: group:owner allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit,only_inherit
 13: group:group allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit,only_inherit

[NOTE: OS X clients interprests unix group permission bits differently. Also there are more ACE displayed. For example OS X shows two ACEs for group Domain Admins]

-> Let's create some new files

>> touch fruit_acl_file
>> ls -lae@ fruit_acl_file
-rw-rwxr--+ 1 apple  SAMDOM\Domain Users  0 Sep  9 05:13 fruit_acl_file
 0: user:apple allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity
 1: user:apple allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 2: group:SAMDOM\Domain Admins allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 3: user:root allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 4: group:admin allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 5: group:SAMDOM\Domain Users allow read,execute,readattr,readextattr,readsecurity
 6: group:SAMDOM\Domain Users allow read,readattr,readextattr,readsecurity
 7: user:apple allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 8: group:SAMDOM\Domain Admins allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 9: user:root allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 10: group:admin allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 11: user:administrator allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 12: group:everyone allow read,readattr,readextattr,readsecurity
>> mkdir fruit_acl_dir
>> ls -laed@ fruit_acl_dir
drwxrwxr-x+ 1 apple  SAMDOM\Domain Users  16384 Sep  9 05:14 fruit_acl_dir
 0: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 1: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 2: group:SAMDOM\Domain Admins allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 3: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 4: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 5: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit
 6: group:SAMDOM\Domain Admins allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 7: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 8: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 9: user:administrator allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 10: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity
 11: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 12: group:everyone allow list,search,readattr,readextattr,readsecurity
 13: group:owner allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit,only_inherit
 14: group:group allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit,only_inherit
 15: group:everyone allow file_inherit,directory_inherit,only_inherit

[NOTE: Permission for files created with vfs_fruit enabled looks different once again]

-> unmount samba share

–> turn OFF vfs_fruit and see how permissions for new files look now

[FRUIT is OFF]
-> mount samba share on OS X client

>> ls -lae@ fruit_acl_file
-rwx------+ 1 apple  SAMDOM\Domain Users  0 Sep  9 05:13 fruit_acl_file
 0: user:apple allow read,write,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 1: user:apple allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 2: group:SAMDOM\Domain Admins allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 3: user:root allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 4: group:admin allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 5: group:SAMDOM\Domain Users allow read,execute,readattr,readextattr,readsecurity
 6: group:SAMDOM\Domain Users allow read,readattr,readextattr,readsecurity
 7: user:apple allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 8: group:SAMDOM\Domain Admins allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 9: user:root allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 10: group:admin allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 11: user:administrator allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 12: group:everyone allow read,readattr,readextattr,readsecurity
>> ls -laed@ fruit_acl_dir
 drwx------+ 1 apple  SAMDOM\Domain Users  16384 Sep  9 05:14 fruit_acl_dir
 0: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 1: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 2: group:SAMDOM\Domain Admins allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 3: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 4: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 5: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit
 6: group:SAMDOM\Domain Admins allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 7: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 8: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 9: user:administrator allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 10: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity
 11: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 12: group:everyone allow list,search,readattr,readextattr,readsecurity
 13: group:owner allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit,only_inherit
 14: group:group allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit,only_inherit
 15: group:everyone allow file_inherit,directory_inherit,only_inherit
 

REAL POSIX ACLs how Gentoo Linux sees them:

# file: fruit_acl_dir
# owner: apple
# group: users
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:3000002:rwx
user:domain\040admins:rwx
user:apple:rwx
group::r-x
group:users:r-x
group:BUILTIN\134administrators:rwx
group:3000002:rwx
group:domain\040admins:rwx
group:apple:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:3000002:rwx
default:user:domain\040admins:rwx
default:user:apple:rwx
default:group::r-x
default:group:users:r-x
default:group:BUILTIN\134administrators:rwx
default:group:3000002:rwx
default:group:domain\040admins:rwx
default:group:apple:rwx
default:mask::rwx
default:other::---

# file: fruit_acl_file
# owner: apple
# group: users
user::rw-
user:root:rwx
user:BUILTIN\134administrators:rwx
user:3000002:rwx
user:domain\040admins:rwx
user:apple:rwx
group::r--
group:users:r-x
group:BUILTIN\134administrators:rwx
group:3000002:rwx
group:domain\040admins:rwx
group:apple:rwx
mask::rwx
other::r--

# file: nofruit_acl_dir
# owner: apple
# group: users
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:3000002:rwx
user:domain\040admins:rwx
group::r-x
group:users:r-x
group:BUILTIN\134administrators:rwx
group:3000002:rwx
group:domain\040admins:rwx
group:apple:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:3000002:rwx
default:user:domain\040admins:rwx
default:user:apple:rwx
default:group::r-x
default:group:users:r-x
default:group:BUILTIN\134administrators:rwx
default:group:3000002:rwx
default:group:domain\040admins:rwx
default:group:apple:rwx
default:mask::rwx
default:other::---

# file: nofruit_acl_file
# owner: apple
# group: users
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:3000002:rwx
user:domain\040admins:rwx
group::r-x
group:users:r-x
group:BUILTIN\134administrators:rwx
group:3000002:rwx
group:domain\040admins:rwx
group:apple:rwx
mask::rwx
other::---

What is going on?