Bug 14471 - vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special
Summary: vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.11.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Ralph Böhme
Depends on:
Reported: 2020-08-20 14:32 UTC by Ralph Böhme
Modified: 2020-08-20 14:35 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2020-08-20 14:32:42 UTC
When ZFS aclmode is set to "passthrough" chmod(2)/fchmod(2) will result in special entries being modified in a way such that delete, delete_child, write_named_attr, write_attribute are stripped from the returned ACL entry, and the kernel / ZFS treats this as having rights equivalent to the desired POSIX mode. Historically, samba has added delete_child to the NFSv4 ACL, but this is only really called for in the case of special entries in this particular circumstance.

Alter circumstances in which delete_child is granted so that it only is added to special entries. This preserves the intend post-chmod behavior, but avoids unnecessarily increasing permissions in cases where it's not intended. Further modification of this behavior may be required so that we grant a general read or general write permissions set in case of POSIX read / POSIX write on special entries.