Bug 14528 - Changing owner with NFSv4 ACLs results in wrong ACL
Summary: Changing owner with NFSv4 ACLs results in wrong ACL
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.13.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Christof Schmitt
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-08 21:24 UTC by Christof Schmitt
Modified: 2020-10-09 04:59 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christof Schmitt 2020-10-08 21:24:04 UTC
NFSv4 ACLs include entries for special:owner and special:group. On
a request to change the owner while keeping the existing ACL, these
entries change their meaning.

Consider a file owner by userA and an ACL entry granting access:

Security Descriptor
owner: userA
ACL entry: userA FULL_ACCESS

which can be mapped to a NFSv4 ACL:
owner: userA
ACL entry: special:owner FULL_ACCESS (meaning that userA has full access)


Now changing only the owner should result in this Security Descriptor:
owner: userB
ACL entry: userA FULL_ACCESS
(the ACL should not be modified)

But the file with the above NFSv4 ACL will have:
owner: userB
ACL entry: special:owner FULL_ACCESS (meaning that now userB has full access)

The fix will be to update the NFSv4 ACL on a request that only changes the owner.