Bug 13528 - vfs_zfsacl does not allow users to "disable inheritance" via File Explorer
Summary: vfs_zfsacl does not allow users to "disable inheritance" via File Explorer
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.7.6
Hardware: All FreeBSD
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
: 10645 (view as bug list)
Depends on:
Reported: 2018-07-13 18:39 UTC by Andrew Walker
Modified: 2022-06-21 18:30 UTC (History)
7 users (show)

See Also:

vfs_zfsacl patch to set dacl protected if no entries in ACL are inherited (1.62 KB, patch)
2018-07-13 18:39 UTC, Andrew Walker
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Walker 2018-07-13 18:39:22 UTC
Created attachment 14322 [details]
vfs_zfsacl patch to set dacl protected if no entries in ACL are inherited

The option in File Explorer for disabling inheritance and converting inherited permissions into explicit permissions does not work with zfsacl enabled. The issue is trivial to reproduce, but I'm happy to provide pcaps and logs if they are required.

On FreeBSD this was a two-part fix. I already patched sysutils/libsunacl to expose ACE_INHERITED_ACE. 

This patch adds a new configuration option for setting the dacl_protected control flag in the zfsacl vfs module, and defaults to preserving previous behavior. If ACE_INHERITED_ACE isn't present in the any of the members of the ACL, then set dacl_protected.
Comment 1 Björn Jacke 2022-06-18 16:28:13 UTC
was fixed with 30f9e1dd596a0dc4894f17b07a7e2e58dcb75c16 in 2019 already
Comment 2 Björn Jacke 2022-06-19 15:54:35 UTC
the fix here is not ideal as by evaluating only the ACE_INHERITED_ACE in the ACL you still never can simply disable the ACL4_PROTECTED bit.

Actually all NFS 4.0 implementations have this isse as ACL4_PROTECTED was introduced with NFSv4.1 only. Same like ACE_INHERITED_ACE actually.

Another idea might be to save the ACL4_PROTECTED bit as a dedicated but otherwise meaningless ACE, which Samba treats specially. A deny ACE for user root deny ACE4_SYNCHRONIZE for example is meaningless for a Unix system and this might be used as fallback storage space by Samba for the ACL4_PROTECTED bit.
Comment 3 Björn Jacke 2022-06-19 23:17:27 UTC
*** Bug 10645 has been marked as a duplicate of this bug. ***
Comment 4 Andrew Walker 2022-06-21 18:30:19 UTC
I have pending phabricator request on FreeBSD side to expose the RFC5661 ACL flags, which provides a proper solution.

FreeBSD is somewhat in between RFC3530 and RFC5661 in this respect (it has ACE_INHERITED_ACE, but not the flags).

In practice with Windows clients, I didn't see the combination of PROTECTED and INHERITED entries or for that matter AUTOINHERIT without any inherited.