The Samba-Bugzilla – Bug 5202
cannot change ACLs on writable file with "dos filemode=yes"
Last modified: 2010-01-11 05:15:00 UTC
The smb.conf(5) man page said:
dos filemode (S)
Enabling this parameter allows a user who has write access to
the file (by whatever means) to modify the permissions (including ACL) on it.
But a user who is not owner of a file and don't have write privilege on
the file, cannot change permissions and ACLs on the file.
Created attachment 3098 [details]
Proposed patch: Use can_write_to_file() in acl_group_override()
Patch for Samba 3.0.28.
Sorry, I'm newbie in git usage...
s/permissions and ACLs/ACLs/ on summary.
Created attachment 3380 [details]
Fix "dos filemode" and rebirth "acl group control" parameter
Please give me comments.
This patch can be applied to Samba 3.0.30 too.
Patch works for me.
I had issues with setting ACEs if the user/group had write access only by ACEs, not by group or owner rights. This is solved with the patch, too.
Would anybody please review and check in?
Thank you very much! :-)
Looks good to me, I'll take care of this for 3.0.x and 3.2.1.
Fixed for the above named releases.
This bug re-occurred for 3.3.x and above, so re-opening.
The reason is that to change a NT ACL we now have to open the file requesting WRITE_DAC and WRITE_OWNER access. The mapping from POSIX "w" to NT permissions in posix_acls doesn't add these bits when "dos filemode = yes", so even though the permission or owner change would be allowed by the POSIX ACL code, the NTCreateX call fails with ACCESS_DENIED now we always check NT permissions first.
Patches to follow for 3.3.x, 3.4.x, 3.5.x.
Created attachment 5150 [details]
git-am format patch for 3.5.0.
Created attachment 5151 [details]
git-am fix for 3.4.5.
Created attachment 5152 [details]
git-am format patch for 3.3.10
Guenther, please review and test and then re-assign to Karolin for inclusion in the given releases.
This was also logged as Red Hat bugzilla:
tested the v3-3-test variant, looks fine. Thanks!
reassigning to karo for inclusion.
Pushed to v3-5-test, v3-4-test and v3-3-test.
Closing out bug report.