15636 – Smbcacls incorrectly propagates inheritance with Inherit-Only flag

Bug 15636 - Smbcacls incorrectly propagates inheritance with Inherit-Only flag

Summary: Smbcacls incorrectly propagates inheritance with Inherit-Only flag

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Tools (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-04-16 10:45 UTC by Anna
Modified:	2024-05-08 08:07 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
backported patch for 4.19 (9.69 KB, patch) 2024-04-30 10:57 UTC, Noel Power	slow: review+	Details
backported patch for 4.20 (9.73 KB, patch) 2024-04-30 10:57 UTC, Noel Power	slow: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anna 2024-04-16 10:45:32 UTC

When adding ACLs with IO flag, inheritance is incorrectly propagated to child folders.
smbcacls //192.168.11.3/share /test -U admin -a "ACL:admin:ALLOWED/IO|CI/READ" --propagate-inheritance

Parent folder has correct ACLs.
smbcacls //192.168.11.3/share /test -U admin
REVISION:1
CONTROL:SR|DP
OWNER:BUILTIN\Administrators
GROUP:SVR\Domain Users
ACL:SVR\admin:ALLOWED/CI|IO/READ
ACL:BUILTIN\Users:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL

Child folder has IO flag set on ACL, although it shouldn't.
smbcacls //192.168.11.3/share /test/subfolder -U admin
REVISION:1
CONTROL:SR|DP
OWNER:BUILTIN\Administrators
GROUP:SVR\Domain Users
ACL:SVR\admin:ALLOWED/CI|IO/READ
ACL:BUILTIN\Users:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL

So an ACL that should apply to all child folders except parent folder doesn't really apply to any folder.

Comment 1 Samba QA Contact 2024-04-29 10:57:15 UTC

This bug was referenced in samba master:

eba2bfde347041a395f0fbd3c57235be63b1890d
80159018e411c643fbfe7ef82bd33e30b6147901

Comment 2 Noel Power 2024-04-30 10:57:20 UTC

Created attachment 18292 [details]
backported patch for 4.19

Comment 3 Noel Power 2024-04-30 10:57:49 UTC

Created attachment 18293 [details]
backported patch for 4.20

Comment 4 Ralph Böhme 2024-04-30 11:43:34 UTC

Reassigning to Jule for inclusion in 4.19 and 4.20.

Comment 5 Jule Anger 2024-05-07 07:34:24 UTC

Pushed to autobuild-v4-{20,19}-test.

Comment 6 Samba QA Contact 2024-05-07 08:53:03 UTC

This bug was referenced in samba v4-20-test:

d28a889aed25ac98ba4ef34b26190224e5ebe907
db658c40f5d8aeef9dcc190753b7d14b1fa3f5fb

Comment 7 Samba QA Contact 2024-05-07 09:32:04 UTC

This bug was referenced in samba v4-19-test:

e703c0c3914d79f5ae4f42b3055e7a2005194927
b00c09bee3bc28e5637fd786122faeb6b200f2c5

Comment 8 Jule Anger 2024-05-07 11:23:42 UTC

Closing out bug report.

Thanks!

Comment 9 Samba QA Contact 2024-05-08 08:07:22 UTC

This bug was referenced in samba v4-20-stable (Release samba-4.20.1):

d28a889aed25ac98ba4ef34b26190224e5ebe907
db658c40f5d8aeef9dcc190753b7d14b1fa3f5fb