Bug 293 - Bug in 'map acl inherit = yes'
Summary: Bug in 'map acl inherit = yes'
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.0preX
Hardware: Other other
: P3 major
Target Milestone: none
Assignee: Jeremy Allison
QA Contact:
Depends on:
Reported: 2003-08-12 09:55 UTC by Marc Kaplan
Modified: 2005-02-07 09:02 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Marc Kaplan 2003-08-12 09:55:05 UTC
So the problem is that explicit permissions added to an inherited ACE look to 
also be coming from inheritance, when in reality they are not. The cause of 
this is that the EA only specifes the whether the UID/GID was inherited, it 
does not specify the ACEs for those UIDs/GIDs.

This is especially problematic, because future changes to the ACE causes the 
explicit portion of the ACE to be cleared, and only the original inherited 
part is preserved.

Win2k actually stores different ACEs for inherited permissions and explicit 
permissions, and they are || together for effective permissions, but the 
inherited ones are shown as "locked".
Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-08-29 08:11:34 UTC
Will try again for RC3.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-08-29 08:11:56 UTC
Will try again for RC3.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-08-29 08:13:31 UTC
sorry.  didn't mean to close it.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2004-03-24 07:13:12 UTC
When using the map acl inherit = yes option to store whether the 
ACEs were inherited from parent, any *explicit* permission added 
to an inherited ACE makes the entire ACE look like it it's being 
Comment 5 Gerald (Jerry) Carter (dead mail address) 2004-05-27 04:05:31 UTC
can we do something with this one or close it out as won't fix ?
or just set the priority to a p5 meaning that it might get 
done one day when everything else is fixed.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:02:24 UTC
no work on this one.  closing on wont fix.