14471 – vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special

Bug 14471 - vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special

Summary: vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	VFS Modules (show other bugs)
Version:	4.11.6
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Ralph Böhme

URL:
Keywords:

Depends on:	14470
Blocks:
	Show dependency tree / graph

Reported:	2020-08-20 14:32 UTC by Ralph Böhme
Modified:	2020-11-05 10:01 UTC (History)
CC List:	2 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/1521

Attachments
Patch for 4.12 and 4.13 cherry-picked from master (5.29 KB, patch) 2020-10-22 07:49 UTC, Ralph Böhme	jra: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralph Böhme 2020-08-20 14:32:42 UTC

When ZFS aclmode is set to "passthrough" chmod(2)/fchmod(2) will result in special entries being modified in a way such that delete, delete_child, write_named_attr, write_attribute are stripped from the returned ACL entry, and the kernel / ZFS treats this as having rights equivalent to the desired POSIX mode. Historically, samba has added delete_child to the NFSv4 ACL, but this is only really called for in the case of special entries in this particular circumstance.

Alter circumstances in which delete_child is granted so that it only is added to special entries. This preserves the intend post-chmod behavior, but avoids unnecessarily increasing permissions in cases where it's not intended. Further modification of this behavior may be required so that we grant a general read or general write permissions set in case of POSIX read / POSIX write on special entries.

Comment 1 Samba QA Contact 2020-10-15 20:28:09 UTC

This bug was referenced in samba master:

a182f2e6cdded739812e209430d340097acc0031
13b4f913b06457d8e1f7cf71c85722bbecabd990
c1a37b4f31d5252ce074d41f69e526aa84b0d3b3

Comment 2 Ralph Böhme 2020-10-22 07:49:15 UTC

Created attachment 16299 [details]
Patch for 4.12 and 4.13 cherry-picked from master

Comment 3 Ralph Böhme 2020-10-22 08:02:57 UTC

Karolin, make sure to apply the patch from #14470 before this one.

Comment 4 Jeremy Allison 2020-10-30 00:29:41 UTC

Re-assigning to Karolin for inclusion in 4.13.next, 4.12.next.

Comment 5 Karolin Seeger 2020-10-30 12:21:01 UTC

(In reply to Jeremy Allison from comment #4)
Pushed to autobuild-v4-{13,12}-test.

Comment 6 Samba QA Contact 2020-10-30 13:54:14 UTC

This bug was referenced in samba v4-13-test:

2a6c27d63b75c8535d239a7e9eeefc6e59cdf276
c64c277b607a3688f86c333fbb3ba151c8667964
d9d661993d4c7619465364905a39e0c90727a4cf

Comment 7 Samba QA Contact 2020-10-30 15:25:08 UTC

This bug was referenced in samba v4-12-test:

b260c3003bbb0ca9f539ad5cae5364c0fcd5515b
e14dfa439e720719fbb4ff7ab8265e4a59c81278
e1f7e422bd560196f735c96e6bf6d84524d169a7

Comment 8 Karolin Seeger 2020-11-02 07:54:21 UTC

Closing out bug report.

Thanks!

Comment 9 Samba QA Contact 2020-11-03 12:36:34 UTC

This bug was referenced in samba v4-13-stable (Release samba-4.13.2):

2a6c27d63b75c8535d239a7e9eeefc6e59cdf276
c64c277b607a3688f86c333fbb3ba151c8667964
d9d661993d4c7619465364905a39e0c90727a4cf

Comment 10 Samba QA Contact 2020-11-05 10:01:23 UTC

This bug was referenced in samba v4-12-stable (Release samba-4.12.10):

b260c3003bbb0ca9f539ad5cae5364c0fcd5515b
e14dfa439e720719fbb4ff7ab8265e4a59c81278
e1f7e422bd560196f735c96e6bf6d84524d169a7