Bug 12028 - vfs_acl_xattr and default ACL for objects without NT ACL xattr
Summary: vfs_acl_xattr and default ACL for objects without NT ACL xattr
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 12177
  Show dependency treegraph
 
Reported: 2016-07-18 16:15 UTC by Ralph Böhme
Modified: 2020-12-11 13:25 UTC (History)
3 users (show)

See Also:


Attachments
Patch for 4.3 and 4.4 cherry-picked from master (11.36 KB, patch)
2016-08-02 10:30 UTC, Ralph Böhme
metze: review+
slow: review? (jra)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2016-07-18 16:15:26 UTC
Even with "ignore system acls" set to "yes", for objects without NT ACL xattr we use the underlying filesystem permissions to construct an NT ACL. This can result in *very* unexpected permissions, eg:

- a directory with the following ACL:

$ ./bin/smbcacls -Uslow%pass //localhost/normal ""
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\root
ACL:SLOW\slow:ALLOWED/0x0/FULL

So only one non-inheritable(!) ACE.

- creating a subdirectory:

$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1"

- checking whether there's an ACL xattr:

$ getfattr -m "" /Volumes/normal/dir1
getfattr: Removing leading '/' from absolute path names
system.posix_acl_access
system.posix_acl_default
user.DOSATTRIB

So there isn't an ACL xattr, because there where no inheritable ACEs on the parent folder.

- reading the new subdirectories ACL:

$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:Unix Group\slow:ALLOWED/0x0/READ
ACL:Everyone:ALLOWED/0x0/READ
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL

The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming from the underlying filesystem. This is the problem.

Have patch, need bugnumber.
Comment 1 Ralph Böhme 2016-08-02 10:30:13 UTC
Created attachment 12302 [details]
Patch for 4.3 and 4.4 cherry-picked from master
Comment 2 Karolin Seeger 2016-08-03 07:57:41 UTC
Pushed to autobuild-v4-[4|3]-test.
Comment 3 Karolin Seeger 2016-08-05 07:45:06 UTC
(In reply to Karolin Seeger from comment #2)
Pushed to both branches.
Closing out bug report.

Thanks!