14493 – Conventional tools for managing ACLs can mislead the user

Bug 14493 - Conventional tools for managing ACLs can mislead the user

Summary: Conventional tools for managing ACLs can mislead the user

Status:	NEW

Alias:	None

Product:	CifsVFS
Classification:	Unclassified
Component:	kernel fs (show other bugs)
Version:	3.x
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assignee:	Steve French
QA Contact:	cifs QA contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-09-15 02:10 UTC by Micah Veilleux
Modified:	2021-01-29 10:18 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Micah Veilleux 2020-09-15 02:10:18 UTC

On a client to a Samba share for which Windows ACLs are configured, "ls -l" reports incorrect information, and no "+" is present to indicate that ACLs have been configured:
------------------------------
mcrs3:/TCS # ls -lh testfile
-rwxr-xr-x 1 root root 0 Sep 14 23:05 testfile   # permissions are incorrect, "+" is missing, and owner and primary group owner are incorrect
mcrs3:/TCS # smbcacls //mcrs3/TCS /testfile -k yes
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\cifsuser
GROUP:VPTC3\Domain Users
ACL:VPTC3\Domain Admins:ALLOWED/0x0/RWDPO
ACL:VPTC3\cifsuser:ALLOWED/0x0/RWDPO
mcrs3:/TCS #
------------------------------

Still on the client, "chown" and "chmod" fail without error:
------------------------------
mcrs3:/TCS # chown vptc3\\mveil testfile
mcrs3:/TCS # chmod u+x testfile
mcrs3:/TCS #
mcrs3:/TCS # smbcacls //mcrs3/TCS /testfile -k yes
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\cifsuser
GROUP:VPTC3\Domain Users
ACL:VPTC3\Domain Admins:ALLOWED/0x0/RWDPO
ACL:VPTC3\cifsuser:ALLOWED/0x0/RWDPO
mcrs3:/TCS #
------------------------------

On the server side, these issues are not present:
------------------------------
mcrs3:/.TCS_local # ls -l testfile
-rw-rwx---+ 1 VPTC3\cifsuser VPTC3\domain users 0 Sep 14 23:05 testfile
mcrs3:/.TCS_local #
mcrs3:/.TCS_local # smbcacls //mcrs3/TCS /testfile -k yes
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\cifsuser
GROUP:VPTC3\Domain Users
ACL:VPTC3\Domain Admins:ALLOWED/0x0/RWDPO
ACL:VPTC3\cifsuser:ALLOWED/0x0/RWDPO
mcrs3:/.TCS_local #
mcrs3:/.TCS_local # chown vptc3\\mveil testfile
mcrs3:/.TCS_local # chmod u+x testfile
mcrs3:/.TCS_local #
mcrs3:/.TCS_local # smbcacls //mcrs3/TCS /testfile -k yes
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\mveil
GROUP:VPTC3\Domain Users
ACL:VPTC3\mveil:ALLOWED/0x0/FULL
ACL:VPTC3\Domain Users:ALLOWED/0x0/
ACL:VPTC3\Domain Users:ALLOWED/0x0/
ACL:VPTC3\Domain Admins:ALLOWED/0x0/RWDPO
ACL:VPTC3\cifsuser:ALLOWED/0x0/RWDPO
ACL:Everyone:ALLOWED/0x0/
mcrs3:/.TCS_local #
mcrs3:/.TCS_local # ls -l testfile
-rwxrwx---+ 1 VPTC3\mveil VPTC3\domain users 0 Sep 14 23:05 testfile
mcrs3:/.TCS_local #
------------------------------

My sernet-samba version is 99:4.12.2-11.suse150.

My mount is:
------------------------------
mcrs3:/TCS # grep "TCS " /etc/fstab
//mcrs3/TCS /TCS cifs user=cifsuser,multiuser,domain=VPTC3,sec=krb5,mfsymlinks,vers=3.0 0 0
mcrs3:/TCS #
------------------------------

Comment 1 Shyam Prasad N 2020-09-15 06:48:38 UTC

Hi Micah,
If you're expecting translation of unix perm bits to ACLs, you need to use the "cifsacl" mount option. Can you try that and see if it helps for you?

Comment 2 Micah Veilleux 2020-09-15 16:41:36 UTC

Thanks Shyam, you're right.  The results with the "cifsacl" mount option are still problematic.  My mount options are now:
------------------------------
mcrw1:/TCS # grep "TCS " /etc/fstab
//mcrs3/TCS /TCS cifs user=cifsuser,multiuser,domain=VPTC3,sec=krb5,iocharset=utf8,cifsacl,mfsymlinks,nobrl,vers=3.0 0 0
mcrw1:/TCS #
------------------------------

The "+" is still missing from the output of "ls -l":
------------------------------
mcrw1:/TCS # smbcacls //mcrs3/TCS /testfile -k yes
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\cifsuser
GROUP:VPTC3\Domain Users
ACL:VPTC3\Domain Admins:ALLOWED/0x0/RWDPO
ACL:VPTC3\cifsuser:ALLOWED/0x0/RWDPO
mcrw1:/TCS #
mcrw1:/TCS # ls -l testfile
-rw------- 1 VPTC3\cifsuser VPTC3\domain users 0 Sep 15 16:49 testfile   # permissions are ok, owner and primary group owner are ok, but no "+" is present to indicate the use of extended ACLs
mcrw1:/TCS #
------------------------------

"chown" fails with error:
------------------------------
mcrw1:/TCS # chown vptc3\\mveil testfile 
chown: changing ownership of 'testfile': Input/output error
mcrw1:/TCS # smbcacls //mcrs3/TCS /testfile -k yes 
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\cifsuser       # no ownership change made, but at least an error was reported
GROUP:VPTC3\Domain Users
ACL:VPTC3\Domain Admins:ALLOWED/0x0/RWDPO
ACL:VPTC3\cifsuser:ALLOWED/0x0/RWDPO
mcrw1:/TCS #
------------------------------

"chmod" makes correct changes to the target user, but also incorrect changes to other users:
------------------------------
mcrw1:/TCS # chmod u+x testfile
mcrw1:/TCS # smbcacls //mcrs3/TCS /testfile -k yes
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\cifsuser
GROUP:VPTC3\Domain Users
ACL:VPTC3\cifsuser:ALLOWED/0x0/FULL             # permissions changed as expected
ACL:VPTC3\Domain Users:ALLOWED/0x0/0x00120088   # permissions set unintentionally for "Domain Users", and removed unintentionally for "Domain Admins"
ACL:Everyone:ALLOWED/0x0/0x00120088             # permissions set unintentionally
mcrw1:/TCS #
------------------------------

"ls -l" now reports updated information, which is correct within the limits of what it can convey, though the "+" is of course still missing:
------------------------------
mcrw1:/TCS # ls -l testfile
-rwx------ 1 VPTC3\cifsuser VPTC3\domain users 0 Sep 15 16:49 testfile
mcrw1:/TCS #
------------------------------