Bug 5873 - ACL inheritance cannot be broken
Summary: ACL inheritance cannot be broken
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.2.4
Hardware: All Windows XP
: P3 major
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL: http://www.wzb.eu
Keywords:
: 5877 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-11-05 05:29 UTC by Peter Rindfuss
Modified: 2010-11-21 04:41 UTC (History)
8 users (show)

See Also:


Attachments
smb.conf (1.69 KB, text/plain)
2008-11-11 17:08 UTC, Bill Marshall
no flags Details
3.2.4 smb.conf (opensuse 11) (2.50 KB, text/plain)
2008-11-12 09:01 UTC, Peter Rindfuss
no flags Details
Temporary patch for 3-2-test branch. (744 bytes, patch)
2008-11-12 21:36 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Rindfuss 2008-11-05 05:29:01 UTC
I cannot break ACL inheritance anymore in the Windows ACL editor. With previous Samba versions, I entered the "Advanced" dialog of the Windows ACL editor and unchecked the flag "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here". Afterwards, I could remove or change ACLs as needed. If I do this now, inheritable ACLs that exist on higher directory levels re-appear after having deleted them.
Comment 1 Jeremy Allison 2008-11-06 00:16:54 UTC
*** Bug 5877 has been marked as a duplicate of this bug. ***
Comment 2 Jeremy Allison 2008-11-06 00:17:31 UTC
I'll look at this once I'm back in the USA (Nov 10th).
Jeremy.
Comment 3 Jeremy Allison 2008-11-11 14:29:37 UTC
Ok, I'm trying to reproduce this with the current code in the git tree samba-3-2-test and can't (ie. unsetting the bit in the ACL editor works for me).

So I need an exact description of how your share/directories are set up UNIX permissions-wise, and an exact copy of your smb.conf please.

Jeremy.
Comment 4 Bill Marshall 2008-11-11 17:05:05 UTC
I created New Folder\Bill in my homedir.

I added the wrm3 user w/ full control in the GUI to New Folder & Bill.

[root@rchs9bld bmarsh]# getfacl New\ Folder/
# file: New\040Folder
# owner: root
# group: domain\040users
user::rwx
user:bmarsh:rwx
user:wrm3:rwx
group::--x
group:domain\040admins:rwx
mask::rwx
other::--x
default:user::rwx
default:user:bmarsh:rwx
default:user:wrm3:rwx
default:group::--x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::--x

[root@rchs9bld bmarsh]# getfacl New\ Folder/Bill/
# file: New\040Folder/Bill
# owner: root
# group: domain\040users
user::rwx
user:bmarsh:rwx
user:wrm3:rwx
group::--x
group:domain\040admins:rwx
mask::rwx
other::--x
default:user::rwx
default:user:bmarsh:rwx
default:user:wrm3:rwx
default:group::--x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::--x

In the GUI, when I try to remove wrm3 from Bill, wrm3 comes back then I click apply.
Comment 5 Bill Marshall 2008-11-11 17:08:55 UTC
Created attachment 3727 [details]
smb.conf
Comment 6 Bill Marshall 2008-11-11 17:36:34 UTC
I get the same problems on 3.2.4 from SetNet.

[root@rchs4bld lbmarsh]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
[root@rchs4bld lbmarsh]# rpm -qi samba3
Name        : samba3                       Relocations: (not relocatable)
Version     : 3.2.4                             Vendor: Service Network GmbH, Goettingen
Release     : 37                            Build Date: Wed 22 Oct 2008 08:21:00 AM CDT
Comment 7 Peter Rindfuss 2008-11-12 09:01:19 UTC
Created attachment 3729 [details]
3.2.4 smb.conf (opensuse 11)

Share starts at /wzb/samba

# file: /wzb
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: /wzb/samba
# owner: root
# group: users
user::rwx
group::r-x
other::---

# file: /wzb/samba/group
# owner: root
# group: users
user::rwx
group::r-x
other::---

# file: /wzb/samba/group/BAL
# owner: root
# group: users
user::rwx
user:pollner:r-x
user:udo:r-x
user:walther:r-x
group::---
group:bal:rwx
group:zensus:r-x
group:_p_etlm:r-x
group:neps:r-x
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:bal:rwx
default:group:zensus:r-x
default:mask::rwx
default:other::---
Comment 8 Jeremy Allison 2008-11-12 20:37:22 UTC
Ok I've done some investigation of this, and I'm being bitten by the bugfix for bug #4308. The problem is on removing an ACE entry and then clicking "apply" causes a security descriptor set with type = 0x9d04. This includes the "SEC_DESC_DACL_AUTO_INHERIT_REQ|SEC_DESC_DACL_AUTO_INHERITED" pair that triggers the append_parent_acl() call that fixes the Excel bug (#4308). The type value being used here (0x9d04) is identical to the type value used by Excel when setting a truncated security descriptor. I believe Vista backup also does this (bug #5306).

After implementing "real" security descriptors as a layer on top of POSIX acls in the 3.3 codebase I'm now convinced that doing any inheritance at the server is incorrect, and all inheritance calculation should in fact be being done in the client. The problem is if I remove this code, the Excel problem will re-appear.

In the Excel case, something about the posix mapped security descriptor we're returning is causing the inheritance calculations not to be done. So the actual bug is still #4308, and #5306 and I'll work on the problem there.
Jeremy.
Comment 9 Jeremy Allison 2008-11-12 21:36:56 UTC
Created attachment 3730 [details]
Temporary patch for 3-2-test branch.

Ok, if people can try this (temporary, not the final) fix. It should allow removal of ACE entries again. Bill and others, I need testing with Excel to prevent regressions of #4308.
Jeremy.
Comment 10 Chandra 2008-11-24 11:18:12 UTC
(In reply to comment #9)
> Created an attachment (id=3730) [edit]
> Temporary patch for 3-2-test branch.
> Ok, if people can try this (temporary, not the final) fix. It should allow
> removal of ACE entries again. Bill and others, I need testing with Excel to
> prevent regressions of #4308.
> Jeremy.


I've tried this patch and it looks good, it allows removal of ACE entries. I've also tested with Excel, I couldn't reproduce problems of #4308, I am not sure if I've tested all the possibilities with Excel.

Thanks,
Chandra
Comment 11 oota toshiya 2008-11-30 20:41:55 UTC
Is this bug scheduled to be corrected by "3.0.x"?
Comment 12 Peter Rindfuss 2008-12-12 08:32:33 UTC
With version 3.2.6, it appears to be ok.
Thanks a lot for fixing it.
Comment 13 lissyara 2008-12-12 09:00:46 UTC
(In reply to comment #12)
> With version 3.2.6, it appears to be ok.
> Thanks a lot for fixing it.
> 

for 3.0.x - fixed?
or give patch...
Comment 14 Hubert Faulhaber 2009-01-15 03:35:33 UTC
(In reply to comment #13)
> for 3.0.x - fixed?
> or give patch...

I'd need a patch for 3.0.x, too... 
Comment 15 Bruce Marriner 2009-05-08 08:23:03 UTC
I'm having this same problem with Samba 3.2.11 on Gentoo.  I can uncheck the inherit permissions box and then remove/modify the permissions and once I apply them the inherited permissions just show right back up.  Be happy to provide any additional information or do any sort of testing.  
Comment 16 Peter Rindfuss 2009-05-08 08:51:59 UTC
I've tried again with 3.2.11 on opensuse 11.0, and everything's fine.
See also my Comment #12.
Peter
Comment 17 Bruce Marriner 2009-05-08 09:04:32 UTC
Well..  Are there some configuration options that could effect this?  It is not working for me on 3.2.11 on Gentoo and I would like to find and resolve the problem.

Again.  I have a fresh install of both Gentoo and Samba (3.2.11) and a temp share defined.  If I open that share and create files and folders and within their Secuity then Advanced tab (from Windows Vista Business) they all have "Include inheritable permissions from this object's parent" checked.  I click Edit and uncheck that box.  It opens a pop-up window that asks if I want to copy the inherited permissions or remove them.  I click on Remove.  Now all the permissions appear to have been removed.  Once I click Apply they all come back but the "Include inheritable permissions from this object's parent" box remains unchecked.  I can add new entires but am unable to remove the "inherited" entries.

I am fairly new to using Samba in this way and perhaps I'm doing something wrong but am not sure what that would be or how to find out.  
Comment 18 Peter Rindfuss 2009-05-08 09:23:22 UTC
I have
nt acl support = Yes
map acl inherit = Yes
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
dos filemode = Yes
acl group control = No 
Peter
Comment 19 Bruce Marriner 2009-05-08 09:31:20 UTC
Hmn, Seems I'm just wasting your time.  I apparently don't have a good understanding of how samba acl works compared to windows.  I did some more testing and it does infact remove inherited permissions.  The part that was throwing me off is how the normal unix permissions remained (user/group/everyone) and in my clicky gui windows mindset I was trying to remove/change those values which I'm used to being able to do.  Mostly the Group and Everyone parts. 

Sorry for filling this bug-report with gibberish.
Comment 20 TAKAHASHI Motonobu 2010-10-09 03:42:44 UTC
According to relnotes, this bug was fixed in Samba 3.0.34, Samba 3.2.6, Samba 3.3.0.
http://www.samba.org/samba/history/samba-3.0.34.html
comment #12
http://www.samba.org/samba/history/samba-3.3.0.html
Comment 21 Matthias Dieter Wallnöfer 2010-11-21 04:41:28 UTC
I'm marking it as FIXED. If someone complains please reopen!