Bug 14304 - Multiple issues with getting individual ACLs
Summary: Multiple issues with getting individual ACLs
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.9.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-29 06:49 UTC by Jonathon Reinhart
Modified: 2020-02-29 21:52 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jonathon Reinhart 2020-02-29 06:49:38 UTC 
I can successfully write a program to get various xattrs like this:

    smbc_getFunctionGetxattr(ctx)(ctx, uri, attr, buf, sizeof(buf));

But there are several problems with getting individual ACLs (ACEs, really).

I'm looking at this documentation [1]:

 * @param name      The name of an attribute to be retrieved.  Names are of
 *                  one of the following forms:
 *
 *                     system.nt_sec_desc.<attribute name>
 *                     system.nt_sec_desc.*
 *                     system.nt_sec_desc.*+
 *
 *                  where <attribute name> is one of:
 *
 *                     revision
 *                     owner
 *                     owner+
 *                     group
 *                     group+
 *                     acl:<name or sid>
 *                     acl+:<name or sid>



Issue 1: Both "acl:" and "acl+:" say <name or sid> but in reality it should probably say:

   acl:<sid>
   acl+:<name>


Assuming my reading between the lines there is correct, I should be able to request an individual acl/ace by SID by requesting this attribute:

    attr = "system.nt_sec_desc.acl:S-1-5-11";

or by name:

    attr = "system.nt_sec_desc.acl+:BUILTIN\\Administrators";

Neither of those works.



Issue 2: This code [2] is incorrect:


    } else if ((strncasecmp_m(name, "acl", 3) == 0 &&
                strcasecmp_m(name+3, sidstr) == 0) ||
               (strncasecmp_m(name, "acl+", 4) == 0 &&
                strcasecmp_m(name+4, sidstr) == 0)) {

It clearly thinks that the SID/name immediately follows "acl". Amazingly, this works (note the lack of a separating colon):

    attr = "system.nt_sec_desc.aclS-1-5-11"


However, leaving the colon off in the name form still does not work:

    attr = "system.nt_sec_desc.acl+BUILTIN\\Administrators";


Issue 3: This logic [3] for enabling/disabling SID conversion doesn't work for acl attribute which has the extra sid-or-name parameter. The + will never be at the end of name:

    numeric = (* (name + strlen(name) - 1) != '+');

'numeric' is later used here [4] in the call to convert_sid_to_string(). It would need to be determined differently in the "acl+:<sid-or-string>" case.


These issues trace back to the commit (2f84a990bcfa) where this code was first introduced. I'm convinced that I'm the first person to try to use libsmbclient to retrieve a specific ACL since 2003.



[1] https://gitlab.com/samba-team/samba/blob/samba-4.9.5/source3/include/libsmbclient.h#L2291-2292
[2] https://gitlab.com/samba-team/samba/blob/samba-4.9.5/source3/libsmb/libsmb_xattr.c#L1094-1097
[3] https://gitlab.com/samba-team/samba/blob/samba-4.9.5/source3/libsmb/libsmb_xattr.c#L810
[4] https://gitlab.com/samba-team/samba/blob/samba-4.9.5/source3/libsmb/libsmb_xattr.c#L1067
Comment 1 Jeremy Allison 2020-02-29 21:52:02 UTC 
I can believe you :-(. Without tests, these things are probably broken.