Bug 12716 - "inherit acls" causes applying of both default acls and acl inheritance by samba
"inherit acls" causes applying of both default acls and acl inheritance by samba
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
x64 Linux
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2017-03-23 14:09 UTC by olaf
Modified: 2017-03-23 14:09 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description olaf 2017-03-23 14:09:24 UTC
The problem is, that in current state the smbd first creates a file and allows system to apply default posix ACLs (and applies "create mask"):


if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) &&
    (def_acl = directory_has_default_acl(conn, parent_dir))) {
    unx_mode = (0777 & lp_create_mask(SNUM(conn)));

So far it is good. The operating system applies default ACLs and "create mask" is taken into account. But later, smbd rewrites the ACLs:


 else if (lp_inherit_acls(SNUM(conn))) {
/* Inherit from parent. Errors here are not fatal. */
status = inherit_new_acl(fsp);
if (!NT_STATUS_IS_OK(status)) {
    DEBUG(10,("inherit_new_acl: failed for %s with %
    nt_errstr(status) ));

As it rewrites the ACLs, the "create mask" (eg. = 666) is not applied and ordinary files get execute permission.
So, basically, it first allows to apply default ACLs by system, next it does its own inheritance. I want only the first portion.

Commenting out the second portion makes it work correctly. To get the desired effect the parameter "store dos attributes = yes" also has to be set.

I have no idea why the second portion (inherit_new_acl(fsp)) is added but it makes me trouble.
If it cannot be removed for some other reasons, I can produce a patch with a new option, eg. "inherit acls posix only", or whatever other name you do prefer, so it can be disabled separately.