Bug 11806 - vfs_acl_xattr/vfs_acl_tdb: POSIX ACLs set even if "ignore system acls" is true
vfs_acl_xattr/vfs_acl_tdb: POSIX ACLs set even if "ignore system acls" is true
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-03-21 21:03 UTC by Uri Simchoni
Modified: 2016-04-20 07:27 UTC (History)
2 users (show)

See Also:

git-am fix for 4.4.next and 4.3.next (7.12 KB, patch)
2016-03-24 13:07 UTC, Uri Simchoni
jra: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Uri Simchoni 2016-03-21 21:03:05 UTC
According to the man page, vfs_acl_xattr should not modify the undelying system ACLs upon setting the NT ACLs, if "ignore system acls" is yes.

In practice, vfs_acl_xattr (and vfs_acl_tdb - it's common code) always sets the underlying ACLs - UNIX permissions and POSIX ACLs. It ignores them only when fetching the NT ACL (not comparing to the underlying ACL).

This has significance, for example, when emulating a Windows server. A Windows server, by default, does not check the "traverse folder" right (equivalent of the execute bit in UNIX) - this is configurable in local security policy, see "Bypass traverse checking" https://technet.microsoft.com/en-us/library/dn221950.aspx . If a user has no access to an outer folder, he can still access an inner folder if he has permissions for the inner folder.

A way to emulate that would be to set a permissive UNIX permissions (0777) on folders, and enforce access via smbd only. However, since UNIX permissions are always modified to match the NT ACL, if the NT ACL of the outer folder does not have "traverse folder" right for the user, the POSIX ACL may also lack execute bit, denying access to the inner folder.
Comment 1 Uri Simchoni 2016-03-24 13:07:57 UTC
Created attachment 11936 [details]
git-am fix for 4.4.next and 4.3.next
Comment 2 Jeremy Allison 2016-03-24 23:42:22 UTC
Comment on attachment 11936 [details]
git-am fix for 4.4.next and 4.3.next

Comment 3 Jeremy Allison 2016-03-24 23:44:31 UTC
Re-assigning to Karolin for inclusion in 4.4.next, 4.3.next.
Comment 4 Karolin Seeger 2016-04-18 10:52:09 UTC
(In reply to Jeremy Allison from comment #3)
Pushed to autobuild-v4-[4|3]-test.
Comment 5 Karolin Seeger 2016-04-20 07:27:03 UTC
(In reply to Karolin Seeger from comment #4)
Pushed to both branches.
Closing out bug report.