Bug 2606 - aix acls allow read,write, and editing but not deleting or renaming
aix acls allow read,write, and editing but not deleting or renaming
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.13
PPC AIX
: P3 regression
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-14 04:06 UTC by Alex Karle
Modified: 2006-01-25 10:46 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Karle 2005-04-14 04:06:24 UTC
I found a strange behaviour running samba 3.0.13 on aix 4.3. When I add users or
group access rights (rwx) to the underlying directory using the acls of jfs
through samba, I can create an edit a file in this directory. When I want to
delete or rename that file, I get an access denied. The user or group I added to
the directory is a user out of ADS. The AIX machine is a AD-Member-Server and
the  users are locally known through the security - methods.cfg. It would be
very nice  to hear from you soon, cause the machine should go productive next week.

Thanks in advance, regards Alex.
Comment 1 Yannick Bergeron 2005-04-15 08:29:27 UTC
Same problem, AIX 4.3.3 with samba-3.0.13

I'll try to rollback the patch applied for the bug report #2521 
(source/smbd/posix_acl.c)
Comment 2 Yannick Bergeron 2005-04-15 10:34:00 UTC
the bug is not from Revision 6003 of smbd/posix_acl.c

samba-3.0.11 doesn't has this bug
Comment 3 Jeremy Allison 2005-04-15 15:32:19 UTC
You *must* configure smbd with --with-acl-support to be able to successfully
process ACLs with 3.0.13 and above.
Jeremy.
Comment 4 Alex Karle 2005-04-15 16:23:19 UTC
(In reply to comment #3)
> You *must* configure smbd with --with-acl-support to be able to successfully
> process ACLs with 3.0.13 and above.
> Jeremy.
> 

I configured it with the --with-acl-support option. As I wrote I can set acls
but the don't work properly ( -> description). In samba 3.0.11 everything works
fine, thanks Yannick. 
Alex.
Comment 5 Jeremy Allison 2005-04-15 16:53:55 UTC
In that case please post a debug level 10 log as an attachment to this bug
report showing the access failure.

Jeremy.
Comment 6 Alex Karle 2005-04-25 00:59:14 UTC
(In reply to comment #5)
> In that case please post a debug level 10 log as an attachment to this bug
> report showing the access failure.
> 
> Jeremy.
> 

Hello Jeremy,
excuse me for answering that late. I'm not allowed to post any log files due to
security reasons. Can anyone else please post the log (Yannick Bergeron?) ???

Thanks, Alex.
Comment 7 Bernhard Uhe 2005-04-26 04:48:59 UTC
I have the same problem with Samba 3.0.13 and 3.0.12 under SUN Solaris 8.

I configure smbd with --with-acl-support  but it doesn't work, so I go back to 
version 3.0.11. That works fine.


Comment 8 Sec Pelle 2005-04-28 06:34:44 UTC
Same problem here,

What we see is degeneration between posix_acls.c versions 4348 and 6003.

Diff for /branches/SAMBA_3_0_RELEASE/source/smbd/posix_acls.c between version 
4348 and 6003
version 4348, Thu Dec 23 18:45:36 2004 UTC 	version 6003, Wed Mar 23 19:41:
56 2005 UTC

Namely can_delete_file_in_directory() appears to check only for tradional unix 
ownerships and group acls. It doesn't account for deletion rights coming from 
owner ACLS.

E.g. if running getfacl on a directory gives on user (owner) ACL such as:

user:sanna:rwx		#effective:rwx

This means in underlying operating system (Solaris) that this addional user
(not tradional UNIX owner in stat buf), in this case sanna, should be able to 
delate files in this directory.

As the check is written currently, sanna is not able to delete any files she or 
others have created in the directory since 'user ACLs' are not checked. 
Reverting this change from 3.0.13 version to 3.0.11 version fixes the problem 
for us.

Comment 9 Martynas Buozis 2005-05-13 12:12:56 UTC
Hello

I opened bug #2711, that look same like this ? If so, so I can provide all
required logs in required level.

Looks like general problem ?...

Martynas
Comment 10 James Peach (outdated mail address) 2005-08-11 19:27:13 UTC
This sounds like it is fixed in r6378
    http://websvn.samba.org/cgi-bin/viewcvs.cgi?rev=6378&view=rev
Comment 11 Gerald (Jerry) Carter 2006-01-25 10:46:16 UTC
James says fixed.