Bug 14495 - smbcacls requires the user to translate hex values to human-readable labels in some cases
Summary: smbcacls requires the user to translate hex values to human-readable labels i...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.12.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-15 02:20 UTC by Micah Veilleux
Modified: 2020-09-17 23:37 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Micah Veilleux 2020-09-15 02:20:36 UTC
When setting ACE flags, it is necessary to use the hex value "0x0", rather than simply not providing any flag::
------------------------------
mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes -M "ACL:VPTC3\ptstest:ALLOWED//READ"
ACE 'VPTC3\ptstest:ALLOWED//READ': bad named flags entry at 'READ'
mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes -M "ACL:VPTC3\ptstest:ALLOWED/0x0/READ"
mcrs3:/TCS #
mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\cifsuser
GROUP:VPTC3\Domain Users
ACL:VPTC3\Domain Admins:ALLOWED/CI/FULL
ACL:VPTC3\Domain Admins:ALLOWED/OI|IO/RWDPO
ACL:VPTC3\ptstest:ALLOWED/0x0/READ
ACL:VPTC3\cifsuser:ALLOWED/CI/FULL
ACL:VPTC3\cifsuser:ALLOWED/OI|IO/RWDPO
mcrs3:/TCS #
------------------------------

For the mask, some human-readable labels exist -- RWXDPO/READ/WRITE/FULL -- but for unlabeled permission combinations, hex values must be used.  An improvement may be to have a "--verbose" option, that allows to see which of the underlying permissions types are granted/denied, and the meaning of the hex values, such as:
------------------------------
...
ACE: VPTC3\ptstest:ALLOWED/0x0/READ
User/group: VPTC3\ptstest
Type: Allowed
Flags:
  [ ] Object inherit                  0x01
  [ ] Container inherit               0x02
  [ ] No propagate                    0x04
  [ ] Inherit only                    0x08
Mask: 0x001200A9
  [ ] Full control                    0x001F01FF
  [x] Traverse folder / execute file  0x00100020
  [x] List folder / read data         0x00100001
  [x] Read attributes                 0x00100080
  [x] Read extended attributes        0x00100008
  [ ] Create files / write data       0x00100002
  [ ] Create folders / append data    0x00100004
  [ ] Write attributes                0x00100100
  [ ] Write extended attributes       0x00100010
  [ ] Delete subfolders and files     0x00100040
  [ ] Delete                          0x00110000
  [x] Read permissions                0x00120000
  [ ] Change permissions              0x00140000
  [ ] Take ownership                  0x00180000
...
------------------------------
Comment 1 Jeremy Allison 2020-09-15 18:06:45 UTC
That format example looks great. Are you able to code up a patch for that ?
Comment 2 Micah Veilleux 2020-09-17 23:37:40 UTC
Sorry, creating a patch would be quite difficult for me.  Can it be assigned to someone else?