Bug 5807 - Default ACL for "other" not applied on files created through CIFS filesystem (mount.cifs)
Default ACL for "other" not applied on files created through CIFS filesystem ...
Status: RESOLVED FIXED
Product: Samba 3.2
Classification: Unclassified
Component: File services
unspecified
x86 Linux
: P3 normal
: ---
Assigned To: Jeff Layton
Samba QA Contact
https://bugs.launchpad.net/ubuntu/+so...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-02 13:38 UTC by Etienne Goyer
Modified: 2009-05-26 19:10 UTC (History)
0 users

See Also:


Attachments
Capture trace showing the problem. (3.31 KB, application/cap)
2009-05-19 14:00 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Etienne Goyer 2008-10-02 13:38:22 UTC
When creating a file on CIFS-mounted file system (using Unix Extension), file do not inherit default POSIX ACL for "other".  However, directory created in the same fashion inherit it just fine.

Client (intrepid-desktop in the example below): 
 - Ubuntu 8.10 (currently alpha), kernel 2.6.27
 - Samba from the distribution: 3.2.3
 - cifs kernel module v. 1.54


Server (intrepid-server in the example below):
 - Ubuntu 8.10 (currently alpha), kernel 2.6.27
 - Samba 3.3.0pre2 compiled from source (default ./configure, no option)

On the server, smb.conf is completely blank (all default), except for the share definition:

[share]
    path = /srv/share
    read only = no
    inherit acls = yes


Example (this part on the server):

ubuntu@intrepid-server:~$ umask
0022
ubuntu@intrepid-server:~$ cd /srv/share
ubuntu@intrepid-server:/srv/share$ sudo mkdir test-acl
[sudo] password for ubuntu: 
ubuntu@intrepid-server:/srv/share$ sudo chown ubuntu:ubuntu test-acl
ubuntu@intrepid-server:/srv/share$ setfacl -m d:o:rwx test-acl
ubuntu@intrepid-server:/srv/share$ getfacl test-acl
# file: test-acl
# owner: ubuntu
# group: ubuntu
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::rwx

ubuntu@intrepid-server:/srv/share$ mkdir test-acl/dir-local
ubuntu@intrepid-server:/srv/share$ touch test-acl/file-local
ubuntu@intrepid-server:/srv/share$ getfacl -R test-acl
# file: test-acl
# owner: ubuntu
# group: ubuntu
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::rwx

# file: test-acl/test-local
# owner: ubuntu
# group: ubuntu
user::rwx
group::r-x
other::rwx
default:user::rwx
default:group::r-x
default:other::rwx

# file: test-acl/dir-local
# owner: ubuntu
# group: ubuntu
user::rwx
group::r-x
other::rwx
default:user::rwx
default:group::r-x
default:other::rwx

# file: test-acl/file-local
# owner: ubuntu
# group: ubuntu
user::rw-
group::r--
other::rw-


So far so good, the file test-acl/file-local inherited "other" permission from the default ACL as expected (not inheriting x is expected, as explained in acl(5)).

Now, on the client:

ubuntu@intrepid-desktop:~$ uname -r
2.6.27-2-generic
ubuntu@intrepid-desktop:~$ modinfo -F version cifs
1.54
ubuntu@intrepid-desktop:~$ umask
0022
ubuntu@intrepid-desktop:~$ grep intrepid-server /etc/fstab
//intrepid-server/share /home/ubuntu/intrepid-server    cifs    user,username=ubuntu,password=ubuntu,noperm     0       0
ubuntu@intrepid-desktop:~$ mount /home/ubuntu/intrepid-server
ubuntu@intrepid-desktop:~$ cd /home/ubuntu/intrepid-server/test-acl/
ubuntu@intrepid-desktop:~/intrepid-server/test-acl$ mkdir dir-cifs
ubuntu@intrepid-desktop:~/intrepid-server/test-acl$ touch file-cifs


I cannot use getfacl on the client to retrieve ACL on the file I just created as the cifs module in Ubuntu was not compiled with CONFIG_CIFS_XATTR.  However, if I inspect the file and directory just created on the server, here is what I get:

ubuntu@intrepid-server:/srv/share$ getfacl test-acl/*-cifs
# file: test-acl/dir-cifs
# owner: ubuntu
# group: ubuntu
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::rwx

# file: test-acl/file-cifs
# owner: ubuntu
# group: ubuntu
user::rw-
group::r--
other::r--


We can see the directory inherited the default ACL, but the file created on the client over the CIFS-mounted file system do not appear to have got the w permission propagated from the parent directory as expected.

It should be noted that setting a default ACL for a named group (ie, setfacl -m d:g:users:rwx) work just fine  with both files and directories, as expected.  It seems it is really just the default ACL for the "other" entry that do not get propagated to files.
Comment 1 Jeremy Allison 2009-05-19 13:56:46 UTC
Ok, I've reproduced this with the latest v3-2-test git branch, and it's a CIFS client bug.

The client creates the file using NTCreateX, and the server correctly inherits the file permissions from the ACL. The client then calls SetPathInfo with a UNIX infolevel and writes a new mode on top of the carefully server created one.

I'm attaching a capture trace for Steve and Jeff to take a look at.

Jeremy.
Comment 2 Jeremy Allison 2009-05-19 14:00:50 UTC
Created attachment 4170 [details]
Capture trace showing the problem.

Jeff or Steve, look at packets 8-11 to show the problem.
Jeremy.
Comment 3 Jeff Layton 2009-05-19 14:03:12 UTC
I think that's a known problem and should be fixed now. We just added the POSIX create for files recently (2.6.29-ish?). As long as the server supports posix create calls properly then that should work with recent kernels.

Jeremy, what kernel were you using when you reproduced this?
Comment 4 Jeremy Allison 2009-05-26 18:56:26 UTC
This was with the default kernel on Ubuntu 9.04. 2.6.28 I think. Note the reporter is using Ubuntu 8.10 (kernel 2.6.27).
Jeremy.
Comment 5 Jeff Layton 2009-05-26 19:10:45 UTC
Ahh ok...I'm fairly certain that this problem is no more since we implemented posix creates in 2.6.29. I'm going to close this as FIXED. Please reopen if you see the same problem on kernels >= 2.6.29.