Bug 11983 - samba-4.0 only: share-ACLs won't restrict users in changing file-ACLs
Summary: samba-4.0 only: share-ACLs won't restrict users in changing file-ACLs
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-20 12:52 UTC by Peter Somogyi
Modified: 2016-06-20 13:47 UTC (History)
1 user (show)

See Also:


Attachments
fixes the coding intention + torture (774 bytes, patch)
2016-06-20 12:52 UTC, Peter Somogyi
no flags Details
recreate this bug (13.34 KB, patch)
2016-06-20 12:57 UTC, Peter Somogyi
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Somogyi 2016-06-20 12:52:53 UTC
Created attachment 12188 [details]
fixes the coding intention + torture

It's a samba-4.0 only bug, creating this ticket for fix archival.

When a share-ACL is set to CHANGE, users still can change file permissions (file ACLs). Expected that only FULL access would allow it.

I've tested samba-3.6, samba-4.2, samba-4.3, windows 7, win 2012 all works as expected. (Did not try samba-4.1.)

Attaching the 1-liner bugfix and torture.
Comment 1 Peter Somogyi 2016-06-20 12:57:41 UTC
Created attachment 12189 [details]
recreate this bug

Attaching reproducer.

smbtorture //<ip>/<share> -UAdministrator%XXXXX --option=torture:extra_user1=<existing normal username> --option=torture:extra_password1=XXXXX -W <domain> rpc.samba3.sharesec2