15879 – SMB ACL inheritance doesn't work for files created

Bug 15879 - SMB ACL inheritance doesn't work for files created

Summary: SMB ACL inheritance doesn't work for files created

Status:	RESOLVED DUPLICATE of bug 15880

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.20.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-07-07 08:07 UTC by Srinivas Rao V
Modified:	2025-07-08 09:06 UTC (History)
CC List:	0 users

See Also:

Attachments
unx_mode variable is set correctly with variable smb_fname->st.st_ex_mode (897 bytes, application/mbox) 2025-07-07 08:07 UTC, Srinivas Rao V	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Srinivas Rao V 2025-07-07 08:07:08 UTC

Created attachment 18657 [details]
unx_mode variable is set correctly with variable smb_fname->st.st_ex_mode

Problem description
File creation via SMB protocol in folders with ACL inheritance

It has identified potential security leak or data access loss issue for files created from SMB clients. The issue may appear when SMB clients create files in folders that use ACL inheritance to change ACLs (additional access to groups, reduced access to a users primary group) from the default access mask.

Detailed Description:

To reproduce:

1) Have a directory with an NFSV4 ACL where permissions are inherited to
at least new files, e.g like this:

| # mmgetacl .
| #NFSv4 ACL
| #owner:<user>
| #group:<group>
| special:owner@:rwxc:allow:FileInherit:DirInherit:Inherited
|  (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
|  (X)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:group@:rwxc:allow:FileInherit:DirInherit:Inherited
|  (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
|  (X)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:everyone@:----:allow:FileInherit:DirInherit:Inherited
|  (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL  (-)READ_ATTR  (-)READ_NAMED
|  (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

2) From windows command line, where the SMB mounted directory is current
directory, create a file the simplest way possible to exclude the
possibility that some software overrrides permissions, e.g:

| dir > dir.txt

3) Check the ACL for the new file:

| # mmgetacl dir.txt

4) Has the new file inherited file permissions as it should, or is it
the same wrong permissions we see?

| #NFSv4 ACL
| #owner:<user>
| #group:<group>
| #ACL flags:
| #  NULL_DACL
| #  NULL_SACL
| special:owner@:rwxc:allow:Inherited
|  (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
|  (X)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:group@:r--c:allow:Inherited
|  (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
|  (X)DELETE    (X)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:everyone@:r---:allow:Inherited
|  (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL  (-)READ_ATTR  (-)READ_NAMED
|  (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
 
Fix:
unx_mode and st_ex_mode are compared and executing the SMB_VFS_FCHMOD which not expected, so unx_mode need to be set correctly in function possibly_set_archive.

Comment 1 Srinivas Rao V 2025-07-08 09:06:44 UTC


*** This bug has been marked as a duplicate of bug 15880 ***