Bug 14471 - vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special
Summary: vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.11.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Ralph Böhme
URL:
Keywords:
Depends on: 14470
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-20 14:32 UTC by Ralph Böhme
Modified: 2020-11-05 10:01 UTC (History)
2 users (show)

See Also:


Attachments
Patch for 4.12 and 4.13 cherry-picked from master (5.29 KB, patch)
2020-10-22 07:49 UTC, Ralph Böhme
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2020-08-20 14:32:42 UTC
When ZFS aclmode is set to "passthrough" chmod(2)/fchmod(2) will result in special entries being modified in a way such that delete, delete_child, write_named_attr, write_attribute are stripped from the returned ACL entry, and the kernel / ZFS treats this as having rights equivalent to the desired POSIX mode. Historically, samba has added delete_child to the NFSv4 ACL, but this is only really called for in the case of special entries in this particular circumstance.

Alter circumstances in which delete_child is granted so that it only is added to special entries. This preserves the intend post-chmod behavior, but avoids unnecessarily increasing permissions in cases where it's not intended. Further modification of this behavior may be required so that we grant a general read or general write permissions set in case of POSIX read / POSIX write on special entries.
Comment 1 Samba QA Contact 2020-10-15 20:28:09 UTC
This bug was referenced in samba master:

a182f2e6cdded739812e209430d340097acc0031
13b4f913b06457d8e1f7cf71c85722bbecabd990
c1a37b4f31d5252ce074d41f69e526aa84b0d3b3
Comment 2 Ralph Böhme 2020-10-22 07:49:15 UTC
Created attachment 16299 [details]
Patch for 4.12 and 4.13 cherry-picked from master
Comment 3 Ralph Böhme 2020-10-22 08:02:57 UTC
Karolin, make sure to apply the patch from #14470 before this one.
Comment 4 Jeremy Allison 2020-10-30 00:29:41 UTC
Re-assigning to Karolin for inclusion in 4.13.next, 4.12.next.
Comment 5 Karolin Seeger 2020-10-30 12:21:01 UTC
(In reply to Jeremy Allison from comment #4)
Pushed to autobuild-v4-{13,12}-test.
Comment 6 Samba QA Contact 2020-10-30 13:54:14 UTC
This bug was referenced in samba v4-13-test:

2a6c27d63b75c8535d239a7e9eeefc6e59cdf276
c64c277b607a3688f86c333fbb3ba151c8667964
d9d661993d4c7619465364905a39e0c90727a4cf
Comment 7 Samba QA Contact 2020-10-30 15:25:08 UTC
This bug was referenced in samba v4-12-test:

b260c3003bbb0ca9f539ad5cae5364c0fcd5515b
e14dfa439e720719fbb4ff7ab8265e4a59c81278
e1f7e422bd560196f735c96e6bf6d84524d169a7
Comment 8 Karolin Seeger 2020-11-02 07:54:21 UTC
Closing out bug report.

Thanks!
Comment 9 Samba QA Contact 2020-11-03 12:36:34 UTC
This bug was referenced in samba v4-13-stable (Release samba-4.13.2):

2a6c27d63b75c8535d239a7e9eeefc6e59cdf276
c64c277b607a3688f86c333fbb3ba151c8667964
d9d661993d4c7619465364905a39e0c90727a4cf
Comment 10 Samba QA Contact 2020-11-05 10:01:23 UTC
This bug was referenced in samba v4-12-stable (Release samba-4.12.10):

b260c3003bbb0ca9f539ad5cae5364c0fcd5515b
e14dfa439e720719fbb4ff7ab8265e4a59c81278
e1f7e422bd560196f735c96e6bf6d84524d169a7