Bug 12716 - "inherit acls" causes applying of both default acls and acl inheritance by samba
Summary: "inherit acls" causes applying of both default acls and acl inheritance by samba
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.6.0
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-23 14:09 UTC by olaf
Modified: 2021-03-10 16:28 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description olaf 2017-03-23 14:09:24 UTC
The problem is, that in current state the smbd first creates a file and allows system to apply default posix ACLs (and applies "create mask"):

smbd/open.c:

if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) &&
    (def_acl = directory_has_default_acl(conn, parent_dir))) {
    unx_mode = (0777 & lp_create_mask(SNUM(conn)));

So far it is good. The operating system applies default ACLs and "create mask" is taken into account. But later, smbd rewrites the ACLs:

smbd/open.c:

 else if (lp_inherit_acls(SNUM(conn))) {
/* Inherit from parent. Errors here are not fatal. */
status = inherit_new_acl(fsp);
if (!NT_STATUS_IS_OK(status)) {
    DEBUG(10,("inherit_new_acl: failed for %s with %
    fsp_str_dbg(fsp),
    nt_errstr(status) ));
}

As it rewrites the ACLs, the "create mask" (eg. = 666) is not applied and ordinary files get execute permission.
So, basically, it first allows to apply default ACLs by system, next it does its own inheritance. I want only the first portion.

Commenting out the second portion makes it work correctly. To get the desired effect the parameter "store dos attributes = yes" also has to be set.

I have no idea why the second portion (inherit_new_acl(fsp)) is added but it makes me trouble.
If it cannot be removed for some other reasons, I can produce a patch with a new option, eg. "inherit acls posix only", or whatever other name you do prefer, so it can be disabled separately.
Comment 1 Björn Jacke 2021-03-10 16:28:08 UTC
ACLs and create mask generally don't play well together. Maybe we should just  drop creat mask support for any kind of ACL configuration where we have inherited ACLs. Just for POSIX ACLs withough ACL inheritence we might leave it in.