Bug 15636 - Smbcacls incorrectly propagates inheritance with Inherit-Only flag
Summary: Smbcacls incorrectly propagates inheritance with Inherit-Only flag
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-16 10:45 UTC by Anna
Modified: 2024-06-10 15:31 UTC (History)
2 users (show)

See Also:


Attachments
backported patch for 4.19 (9.69 KB, patch)
2024-04-30 10:57 UTC, Noel Power
slow: review+
Details
backported patch for 4.20 (9.73 KB, patch)
2024-04-30 10:57 UTC, Noel Power
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Anna 2024-04-16 10:45:32 UTC
When adding ACLs with IO flag, inheritance is incorrectly propagated to child folders.
smbcacls //192.168.11.3/share /test -U admin -a "ACL:admin:ALLOWED/IO|CI/READ" --propagate-inheritance

Parent folder has correct ACLs.
smbcacls //192.168.11.3/share /test -U admin
REVISION:1
CONTROL:SR|DP
OWNER:BUILTIN\Administrators
GROUP:SVR\Domain Users
ACL:SVR\admin:ALLOWED/CI|IO/READ
ACL:BUILTIN\Users:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL

Child folder has IO flag set on ACL, although it shouldn't.
smbcacls //192.168.11.3/share /test/subfolder -U admin
REVISION:1
CONTROL:SR|DP
OWNER:BUILTIN\Administrators
GROUP:SVR\Domain Users
ACL:SVR\admin:ALLOWED/CI|IO/READ
ACL:BUILTIN\Users:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL

So an ACL that should apply to all child folders except parent folder doesn't really apply to any folder.
Comment 1 Samba QA Contact 2024-04-29 10:57:15 UTC
This bug was referenced in samba master:

eba2bfde347041a395f0fbd3c57235be63b1890d
80159018e411c643fbfe7ef82bd33e30b6147901
Comment 2 Noel Power 2024-04-30 10:57:20 UTC
Created attachment 18292 [details]
backported patch for 4.19
Comment 3 Noel Power 2024-04-30 10:57:49 UTC
Created attachment 18293 [details]
backported patch for 4.20
Comment 4 Ralph Böhme 2024-04-30 11:43:34 UTC
Reassigning to Jule for inclusion in 4.19 and 4.20.
Comment 5 Jule Anger 2024-05-07 07:34:24 UTC
Pushed to autobuild-v4-{20,19}-test.
Comment 6 Samba QA Contact 2024-05-07 08:53:03 UTC
This bug was referenced in samba v4-20-test:

d28a889aed25ac98ba4ef34b26190224e5ebe907
db658c40f5d8aeef9dcc190753b7d14b1fa3f5fb
Comment 7 Samba QA Contact 2024-05-07 09:32:04 UTC
This bug was referenced in samba v4-19-test:

e703c0c3914d79f5ae4f42b3055e7a2005194927
b00c09bee3bc28e5637fd786122faeb6b200f2c5
Comment 8 Jule Anger 2024-05-07 11:23:42 UTC
Closing out bug report.

Thanks!
Comment 9 Samba QA Contact 2024-05-08 08:07:22 UTC
This bug was referenced in samba v4-20-stable (Release samba-4.20.1):

d28a889aed25ac98ba4ef34b26190224e5ebe907
db658c40f5d8aeef9dcc190753b7d14b1fa3f5fb
Comment 10 Samba QA Contact 2024-06-10 15:31:38 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.7):

e703c0c3914d79f5ae4f42b3055e7a2005194927
b00c09bee3bc28e5637fd786122faeb6b200f2c5