Given the following ACL, onwer fails to create subfolder with ACCESS_DENIED. # /usr/local/samba/bin/smbcacls -U mike%mikeliu123 //localhost/test / REVISION:1 CONTROL:SR|DP OWNER:MIKE-X85U\mike GROUP:MIKE-X85U\administrators ACL:Owner Rights:ALLOWED/OI|CI/FULL # /usr/local/samba/bin/smbclient -U mike%mikeliu123 //localhost/test -c 'mkdir haha' NT_STATUS_ACCESS_DENIED making remote directory \haha ----- The problem is triggered by: * mkdir_internal() calls check_parent_access_fsp() * SMB_VFS_FGET_NT_ACL(fsp, SECINFO_DACL, frame, &parent_sd) only fetchs SECINFO_DAL and passes parent_sd to se_file_access_check() * se_access_check() will not check for explicit owner rights because sd->owner_sid is NULL. Should we grant owner sid to check for explicit owner rights ? NTSTATUS check_parent_access_fsp(struct files_struct *fsp, uint32_t access_mask) { /* ... */ status = SMB_VFS_FGET_NT_ACL(fsp, + SECINFO_OWNER | SECINFO_DACL, - SECINFO_DACL, frame, &parent_sd); /* ... */ }
Just checking, changing: SECINFO_DACL -> SECINFO_OWNER | SECINFO_DACL fixes this for you, correct ? If so, looks an obviously correct fix to me, but we'll need a regression test. Thanks !
(In reply to Jeremy Allison from comment #1) While there I'd also add SECINFO_GROUP...
> While there I'd also add SECINFO_GROUP Yep of course !
> Just checking, changing: > SECINFO_DACL -> SECINFO_OWNER | SECINFO_DACL > fixes this for you, correct ? Correct!
MR https://gitlab.com/samba-team/samba/-/merge_requests/3657
This bug was referenced in samba master: a9b3522f53aa2e6151cf83f1eeb65e3adea2b1d0