Bug 15535 - files not listed with acl_xattr and missing read [extended] attributes permission and "hide unreadable"
Summary: files not listed with acl_xattr and missing read [extended] attributes permis...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.19.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-13 12:07 UTC by Björn Jacke
Modified: 2023-12-14 17:47 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2023-12-13 12:07:30 UTC
Files are not listed by smbd with

vfs objects = acl_xattr

and missing "read attributes" or "read extended attributes" permission bits when "hide unreadable" is enabled. 

(With NFS4 ACL filesystems this is working okay, there was however a similar bug, which was fixed with #15093 and #15507)
Comment 1 Ralph Böhme 2023-12-13 12:50:40 UTC
Hmm..... is this by design? See cc05f73872c36cd307da3d6fed200beb16d5c2a8 and #10252.
Comment 2 Björn Jacke 2023-12-13 14:38:10 UTC
Windows 10 natively allows taking away "read attributes" permission without denying read access to the file. Taking away "read extendded attributes" permission takes away read permission. So we need to fix at least the "read attributes" case here.
Comment 3 Ralph Böhme 2023-12-13 15:14:24 UTC
(In reply to Björn Jacke from comment #2)
Interesting! Have you run smb2.acls.ACCESSBASED against Windows 10?
Comment 4 Björn Jacke 2023-12-13 17:02:40 UTC
no, I tested with with a local NTFS filesystem
Comment 5 Björn Jacke 2023-12-14 17:47:41 UTC
Windows 10 with Access-Based Enumeration (ABE) enabled behaves the same as Samba currently does with hide unreadable enabled: If "read attributes" is denied, then the file content IS still readable but nevertheless the file is hidden.

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/29dfcc9b-3aec-406b-abb5-0b4fe96712e2

Describes this case. It is not really logical (and looks wrong to me) that a readable file is being not listed with "hide unreadable" or ABE enabled, but this is how it is currently.