Bug 14032 - NFSv4 ACL for owner broken with IDMAP_TYPE_BOTH
Summary: NFSv4 ACL for owner broken with IDMAP_TYPE_BOTH
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.6.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-07-09 22:08 UTC by Christof Schmitt
Modified: 2020-05-27 16:32 UTC (History)
2 users (show)

See Also:

patches for 4.11 (138.58 KB, patch)
2019-07-24 17:43 UTC, Christof Schmitt
slow: review+
patches for 4.10 (138.58 KB, patch)
2019-07-24 17:44 UTC, Christof Schmitt
slow: review+
patches for 4.9 (142.59 KB, patch)
2019-07-24 17:45 UTC, Christof Schmitt
slow: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Christof Schmitt 2019-07-09 22:08:17 UTC
Commit 5d4f7bfda579cecb123cfb1d7130688f1d1c98b7 broke the case where a
group owns a file or directory and an ACL entry grants permissions to
that group. As this is only possible with IDMAP_TYPE_BOTH and in that
case every NFSv4 ACL entry needs to be a group entry, mapping to a
user entry is wrong.

A related issue with GPFS found in the same test is that the file
system does not allow denying ACL or attribute access to the
owner. Samba can get around this by not mapping to the "special owner"
in this case.

Patches to follow this will also include a unit test for the mapping
between Security Descriptor and the NFSv4 ACL to avoid further
breakage in this area.
Comment 1 Christof Schmitt 2019-07-24 17:43:36 UTC
Created attachment 15320 [details]
patches for 4.11
Comment 2 Christof Schmitt 2019-07-24 17:44:43 UTC
Created attachment 15321 [details]
patches for 4.10
Comment 3 Christof Schmitt 2019-07-24 17:45:10 UTC
Created attachment 15322 [details]
patches for 4.9
Comment 4 Christof Schmitt 2019-08-08 23:00:47 UTC
could you review the backports?
Comment 5 Ralph Böhme 2019-08-21 06:58:33 UTC
Reassigning for inclusion in 4.9, 4.10 and 4.11.
Comment 6 Karolin Seeger 2019-08-23 08:45:56 UTC
(In reply to Ralph Böhme from comment #5)
Pushed to autobuild-v4-{11,10,9}-test.
Comment 7 Karolin Seeger 2019-08-27 10:19:37 UTC
(In reply to Karolin Seeger from comment #6)
Pushed to all branches.
Closing out bug report.