14528 – Changing owner with NFSv4 ACLs results in wrong ACL

Bug 14528 - Changing owner with NFSv4 ACLs results in wrong ACL

Summary: Changing owner with NFSv4 ACLs results in wrong ACL

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	VFS Modules (show other bugs)
Version:	4.13.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Christof Schmitt
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-10-08 21:24 UTC by Christof Schmitt
Modified:	2020-10-09 04:59 UTC (History)
CC List:	1 user (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/1602

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christof Schmitt 2020-10-08 21:24:04 UTC

NFSv4 ACLs include entries for special:owner and special:group. On
a request to change the owner while keeping the existing ACL, these
entries change their meaning.

Consider a file owner by userA and an ACL entry granting access:

Security Descriptor
owner: userA
ACL entry: userA FULL_ACCESS

which can be mapped to a NFSv4 ACL:
owner: userA
ACL entry: special:owner FULL_ACCESS (meaning that userA has full access)


Now changing only the owner should result in this Security Descriptor:
owner: userB
ACL entry: userA FULL_ACCESS
(the ACL should not be modified)

But the file with the above NFSv4 ACL will have:
owner: userB
ACL entry: special:owner FULL_ACCESS (meaning that now userB has full access)

The fix will be to update the NFSv4 ACL on a request that only changes the owner.