6395 – File truncated when the editor is not the unix owner of the file in some applications

Bug 6395 - File truncated when the editor is not the unix owner of the file in some applications

Summary: File truncated when the editor is not the unix owner of the file in some appl...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	unspecified
Hardware:	Other Linux

Importance:	P3 critical (vote)
Target Milestone:	---
Assignee:	Andrew Tridgell
QA Contact:	Andrew Bartlett

URL:
Keywords:

Depends on:
Blocks:	6600
	Show dependency tree / graph

Reported:	2009-05-22 18:06 UTC by Matthieu Patou
Modified:	2009-08-05 02:53 UTC (History)
CC List:	0 users

See Also:

Attachments
Tcpdump capture of the exchange while trying to edit policy (39.80 KB, application/octet-stream) 2009-05-22 18:07 UTC, Matthieu Patou	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthieu Patou 2009-05-22 18:06:59 UTC

Some applications use a file backend to store their data, using those applications with different user (having full right in NT ACL and rwx in unix) leads to truncated files.

One of this application is the policy editor. To reproduce the problem:

Create a policy with the domain administrator (Administrator), set the number of days for password expiration (
Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy)

Save
Ensure that the domain admin groups has full rights on the domain policy folder (\\myadserver.domain\sysvol\domain\Policies)
Set group write right on all files and dir in the <samba_base_dir>/var/locks/sysvol directory.
Ensure that this folder and subfolder and files are owned by the unix group of the domain users (check idmap.tdb for the group mapping). 
Login with a different user member of the domain admin group as well.
Try to modify the same policy (ie. add one more day) and receive an error message.

In my case it's this file:
"smb4.tst/Policies/{4c3e9dec-4702-4a69-b9f2-895ec7d5b35b}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf"

ls "{4c3e9dec-4702-4a69-b9f2-895ec7d5b35b}/Machine/Microsoft/Windows NT/SecEdit"/ -l

-rw-rw-r-- 1 root 3000005 314 2009-04-30 16:45 GptTmpl.inf   

The account used is user_adm which is part of the "domain admins" group which translate to unix group 3000005.

Comment 1 Matthieu Patou 2009-05-22 18:07:49 UTC

Created attachment 4190 [details]
Tcpdump capture of the exchange while trying to edit policy

Comment 2 Matthias Dieter Wallnöfer 2009-08-04 12:30:08 UTC

Hi Matthieu,
I reproduced your bug. It's perfectly valid.

I get an error box telling me: "Not saved. Not saved. <GPO path>\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf".

In the directory of "GptTmpl.inf" I locate the file empty and the old content in a "GptTmpl.tmp" file (which the GPO editor for sure created as a backup). After clicking on "OK" both files are totally cleared.

But as said I marked the bug as "critical" and as "must-have" for the upcoming first beta release (consider the tracking bug).

I hope Tridge is able to fix this nasty problem soon (I personally am not skilled to fix file server issues).

Comment 3 Matthieu Patou 2009-08-05 02:25:43 UTC

smb.conf content:
[globals]
        netbios name    = test
        workgroup       = SAMBA4
        realm           = smb4.tst
        server role     = domain controller
  debug level =         2

[tests]
  path = /tmp/tests
        read only = no
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/smb4.tst/scripts
        read only = no

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = no

Comment 4 Andrew Tridgell 2009-08-05 02:53:25 UTC

This has been fixed with git commit 00a8ff5fe9acf965395b99b39b0c24a5517b6e2b

Please test!