Bug 14440 - creator owner (S-1-3-0) ACE not honored
Summary: creator owner (S-1-3-0) ACE not honored
Status: ASSIGNED
Alias: None
Product: CifsVFS
Classification: Unclassified
Component: kernel fs (show other bugs)
Version: 3.x
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Steve French
QA Contact: cifs QA contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-13 13:42 UTC by Björn Jacke
Modified: 2021-09-30 11:12 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2020-07-13 13:42:57 UTC
if you have an ACL, where the file has executable permission only granted to the ownser through the "creator owner" (S-1-3-0) security principcal, then this permission is not granted. Example:


bjacke@cifstest1:/mnt3/Test$ getcifsacl no-exec
REVISION:0x1
CONTROL:0x8004
OWNER:SERNET\bjacke
GROUP:SERNET\Domain Users
ACL:SERNET\bjacke:ALLOWED/0x0/0x1f01df
ACL:SERNET\Domain Users:ALLOWED/0x0/0x1f01df
ACL:SERNET\Domain Admins:ALLOWED/0x0/FULL

(above here domain users and my user bjacke have all permissions except for execute (0x1f01df))

bjacke@cifstest1:/mnt3/Test$ ./no-exec
bash: ./no-exec: Permission denied

-> RIGHT

Now grant FULL permissions to the owner (which is bjacke):

bjacke@cifstest1:/mnt3/Test$ setcifsacl -a 'ACL:\creator owner:ALLOWED/0x0/FULL' no-exec
bjacke@cifstest1:/mnt3/Test$ getcifsacl no-exec
REVISION:0x1
CONTROL:0x8004
OWNER:SERNET\bjacke
GROUP:SERNET\Domain Users
ACL:SERNET\bjacke:ALLOWED/0x0/0x1f01df
ACL:SERNET\Domain Users:ALLOWED/0x0/0x1f01df
ACL:SERNET\Domain Admins:ALLOWED/0x0/FULL
ACL:\Creator Owner:ALLOWED/0x0/FULL

The file should be executable now by bjacke but it's still not:

bjacke@cifstest1:/mnt3/Test$ ./no-exec
bash: ./no-exec: Permission denied

-> WRONG

Is the S-1-3-0 security principal supposed to be evaluated at all or is this not implemented?
Comment 1 Ralph Böhme 2020-07-13 16:02:27 UTC
(In reply to Björn Jacke from comment #0)
I remember fixing something in that are recently (1-2 years timeframe) and off the top of my hat I'd say we implement it and it should work.
Comment 2 Björn Jacke 2020-07-15 10:57:34 UTC
(In reply to Ralph Böhme from comment #1)
this is a cifs vfs client issue
Comment 3 Ralph Böhme 2021-09-30 11:12:41 UTC
Steve: ping. Any chance you can look into this?