Bug 4602 - smbcacls removes mask from files
Summary: smbcacls removes mask from files
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools (show other bugs)
Version: 3.0.25
Hardware: Other Other
: P3 normal
Target Milestone: none
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-09 05:05 UTC by Henrik (dead mail address)
Modified: 2014-10-30 08:33 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Henrik (dead mail address) 2007-05-09 05:05:42 UTC 
When using smbcacls to restore the acl on a file which is located on a smba share I noticed that smbcacls sometimes removes the file acle mask.

Example:
Looking at the file on the share with getfacl
cubiq-testbox:/tmp# getfacl acltest # file: acltest
# owner: KIC\134administrator
# group: KIC\134domain\040users
user::rw-
group::r--
mask::rw-
other::r--

Retrieving the acls of the file with smbcacls
cubiq-testbox:/tmp# /usr/local/samba/bin/smbcacls //localhost/tmp acltest -U cube%henrik --numeric
REVISION:1
OWNER:S-1-5-21-1291655818-2083803856-2975106597-500
GROUP:S-1-5-21-1291655818-2083803856-2975106597-513
ACL:S-1-5-21-1291655818-2083803856-2975106597-500:0/0/0x0012019f
ACL:S-1-5-21-1291655818-2083803856-2975106597-513:0/0/0x00120089
ACL:S-1-1-0:0/0/0x00120089

Setting the ACLs using the retrieved ACLs.
cubiq-testbox:/tmp# /usr/local/samba/bin/smbcacls //localhost/tmp acltest -U cube%henrik -S 'REVISION:1,OWNER:S-1-5-21-1291655818-2083803856-2975106597-500,GROUP:S-1-5-21-1291655818-2083803856-2975106597-513,ACL:S-1-5-21-1291655818-2083803856-2975106597-500:0/0/0x0012019f,ACL:S-1-5-21-1291655818-2083803856-2975106597-513:0/0/0x00120089,ACL:S-1-1-0:0/0/0x00120089'

Looking at the file with getfacl shows that the mask is removed.
cubiq-testbox:/tmp# getfacl acltest # file: acltest# owner: KIC\134administrator
# group: KIC\134domain\040users
user::rw-
group::r--
other::r--

I can somewhat understand why this is happening as the smbcacls retrieves the ACLs based on effective permissions ignoring if the are sat by the mask or the specific users permissions. When set back the effective permissions are the same but the original ACL are not the same as the mask has been removed.

I know that the term mask is not use the same way on Windows system and there it probably works as expected but using as Samba server on a Linux filesystem should be able to handle the mask attribute better.

Regards,
Henrik
Comment 1 Henrik (dead mail address) 2007-05-09 05:16:43 UTC 
Sorry for reposting so soon but I noticed that these examples are a little bit clearer as you can see the effective perms.

Original....
cubiq-testbox:/tmp# getfacl acltest 
# file: acltest
# owner: KIC\134administrator
# group: KIC\134domain\040users
user::rw-
group::r--                      #effective:---
mask::---
other::r--

Setting...
cubiq-testbox:/tmp# /usr/local/samba/bin/smbcacls //localhost/tmp acltest -U cube%henrik -M'REVISION:1,OWNER:S-1-5-21-1291655818-2083803856-2975106597-500,GROUP:S-1-5-21-1291655818-2083803856-2975106597-513,ACL:S-1-5-21-1291655818-2083803856-2975106597-500:0/0/0x0012019f,ACL:S-1-5-21-1291655818-2083803856-2975106597-513:0/0/0x00000000,ACL:S-1-1-0:0/0/0x00120089'

Result...
cubiq-testbox:/tmp# getfacl acltest 
# file: acltest# owner: KIC\134administrator
# group: KIC\134domain\040users
user::rw-
group::---
other::r--
Comment 2 Björn Jacke 2014-10-29 15:24:06 UTC 
the acl mask is not used in the Windows ACL world, not even all Unices have the concept of ACL masks. I think if you set ACLs via SMB then it is just straight forward right to expect and work with effective ACLs only.

Jeremy, you agree or do you see any misbehaviour here?
Comment 3 Jeremy Allison 2014-10-30 03:30:55 UTC 
Nope, looks correct to me - using minimal required perm settings (if you only have user,group,world settings the mask is simply not required).

Jeremy.