15880 – SMB ACL inheritance doesn't work for files created

Bug 15880 - SMB ACL inheritance doesn't work for files created

Summary: SMB ACL inheritance doesn't work for files created

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.20.0
Hardware:	All All

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Duplicates (2):	15847 15879 (view as bug list)
Depends on:
Blocks:

Reported:	2025-07-07 08:08 UTC by Srinivas Rao V
Modified:	2025-09-09 15:40 UTC (History)
CC List:	5 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/4109

Attachments
unx_mode variable is set correctly with variable smb_fname->st.st_ex_mode (897 bytes, patch) 2025-07-07 08:10 UTC, Srinivas Rao V	no flags	Details
patch from master for v4-22-test (1.36 KB, patch) 2025-07-19 20:29 UTC, Guenther Deschner	slow: review+ gd: review? (jra)	Details
patch from master for v4-21-test (1.36 KB, patch) 2025-07-19 20:30 UTC, Guenther Deschner	slow: review+ gd: review? (jra)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Srinivas Rao V 2025-07-07 08:08:57 UTC

Problem description
File creation via SMB protocol in folders with ACL inheritance

It has identified potential security leak or data access loss issue for files created from SMB clients. The issue may appear when SMB clients create files in folders that use ACL inheritance to change ACLs (additional access to groups, reduced access to a users primary group) from the default access mask.

Detailed Description:

To reproduce:

1) Have a directory with an NFSV4 ACL where permissions are inherited to
at least new files, e.g like this:

| # mmgetacl .
| #NFSv4 ACL
| #owner:<user>
| #group:<group>
| special:owner@:rwxc:allow:FileInherit:DirInherit:Inherited
|  (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
|  (X)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:group@:rwxc:allow:FileInherit:DirInherit:Inherited
|  (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
|  (X)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:everyone@:----:allow:FileInherit:DirInherit:Inherited
|  (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL  (-)READ_ATTR  (-)READ_NAMED
|  (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

2) From windows command line, where the SMB mounted directory is current
directory, create a file the simplest way possible to exclude the
possibility that some software overrrides permissions, e.g:

| dir > dir.txt

3) Check the ACL for the new file:

| # mmgetacl dir.txt

4) Has the new file inherited file permissions as it should, or is it
the same wrong permissions we see?

| #NFSv4 ACL
| #owner:<user>
| #group:<group>
| #ACL flags:
| #  NULL_DACL
| #  NULL_SACL
| special:owner@:rwxc:allow:Inherited
|  (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
|  (X)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:group@:r--c:allow:Inherited
|  (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
|  (X)DELETE    (X)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:everyone@:r---:allow:Inherited
|  (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL  (-)READ_ATTR  (-)READ_NAMED
|  (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
 
Fix:
unx_mode and st_ex_mode are compared and executing the SMB_VFS_FCHMOD which not expected, so unx_mode need to be set correctly in function possibly_set_archive.

Comment 1 Srinivas Rao V 2025-07-07 08:10:33 UTC

Created attachment 18658 [details]
unx_mode variable is set correctly with variable smb_fname->st.st_ex_mode

Comment 2 Srinivas Rao V 2025-07-08 09:06:44 UTC

*** Bug 15879 has been marked as a duplicate of this bug. ***

Comment 3 Ralph Böhme 2025-07-09 12:40:31 UTC

(In reply to Srinivas Rao V from comment #1)
Gna, looks like my fault. Change looks good! Can you create a MR on gitlab with this change, adding your signed-off to the commit message once you're happy with your patch?

Comment 4 Guenther Deschner 2025-07-10 10:47:42 UTC

While Srinivas does the paperwork, I run the patch successfully through our pipeline: https://gitlab.com/samba-team/devel/samba/-/commits/gd-mater-nfsv4acl-inheritance

Comment 5 Björn Jacke 2025-07-14 10:48:30 UTC

see also #7987 and the fix introducing fchmod_acl_module_common (currently only used in acl_xattr)

Comment 6 Samba QA Contact 2025-07-18 22:26:03 UTC

This bug was referenced in samba master:

1d1acebf01902bef3a9ccae23c3be4cacbb777b2

Comment 7 Jeremy Allison 2025-07-18 22:35:40 UTC

(In reply to Ralph Böhme from comment #3)

And I was the RB+. I'm sorry for missing that :-(.

Comment 8 Guenther Deschner 2025-07-19 20:29:25 UTC

Created attachment 18673 [details]
patch from master for v4-22-test

Comment 9 Guenther Deschner 2025-07-19 20:30:00 UTC

Created attachment 18674 [details]
patch from master for v4-21-test

Comment 10 Guenther Deschner 2025-08-13 12:29:35 UTC

*** Bug 15847 has been marked as a duplicate of this bug. ***

Comment 11 Ralph Böhme 2025-08-13 13:09:42 UTC

Reassigning to Jule for inclusion in 4.21, 4.22 and 4.23. The patch for 4.22 should apply to 4.23 as well (hopefully... :) )

Comment 12 Jule Anger 2025-08-14 08:12:59 UTC

Pushed to autobuild-v4-{22,21}-test.
The fix is already in 4.23 :)

Comment 13 Samba QA Contact 2025-08-14 09:42:03 UTC

This bug was referenced in samba v4-21-test:

2278b6317b7dc3e19c69bd38936149441602b058

Comment 14 Samba QA Contact 2025-08-14 12:33:02 UTC

This bug was referenced in samba v4-22-test:

af6d23f98919af8f6f802a9cf7410d1d4fb07288

Comment 15 Jule Anger 2025-08-14 13:14:15 UTC

Closing out bug report.

Thanks!

Comment 16 Samba QA Contact 2025-08-21 15:24:59 UTC

This bug was referenced in samba v4-22-stable (Release samba-4.22.4):

af6d23f98919af8f6f802a9cf7410d1d4fb07288

Comment 17 Samba QA Contact 2025-09-09 15:40:48 UTC

This bug was referenced in samba v4-21-stable (Release samba-4.21.8):

2278b6317b7dc3e19c69bd38936149441602b058