Bug 6507 - change_dir_owner_to_parent: acl inheritance bug
change_dir_owner_to_parent: acl inheritance bug
Status: NEW
Product: Samba 3.3
Classification: Unclassified
Component: File services
3.3.5
x64 Windows XP
: P3 major
: ---
Assigned To: Volker Lendecke
Samba QA Contact
http://www.wzb.eu
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-25 09:44 UTC by Peter Rindfuss
Modified: 2010-08-22 02:32 UTC (History)
2 users (show)

See Also:


Attachments
smb.conf (2.17 KB, application/octet-stream)
2009-06-25 09:47 UTC, Peter Rindfuss
no flags Details
bug text as attachment (4.11 KB, text/plain)
2009-06-25 09:53 UTC, Peter Rindfuss
no flags Details
level 10 dump (70.39 KB, application/octet-stream)
2009-06-25 10:04 UTC, Peter Rindfuss
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Rindfuss 2009-06-25 09:44:36 UTC
We have Samba 3.3.6 with ACLs on OpenSuse 11.0 (PDC/BDC with OpenLDAP).
Clients are WinXP Pro SP3. Winbindd ist not used.


I have noticed some problems with ACLs inheritance. I first saw this with Samba 3.3.5/3.3.6, but I found out it also exists in 3.2.7, our previous version. I think it is serious because it caused a security hole here.

I apologize for the lengthy text but I think it is necessary to explain the circumstances. I add it as an attachment to give a chance to better read the ACL tables.


Given is a folder M:\user\aaa owned by user 'aaa' with primary group 'users'. Windows advanced ACL editor shows

Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
Allow | Otto Aaa (WZB\aaa)       | Full control | <Not inherited> | This folder only
Allow | Domain Users (WZB\users) | None         | <Not inherited> | This folder only
Allow | CREATOR OWNER            | Full control | <Not inherited> | Subfolders and files only
Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only
The flag 'Inherit from the parent the permission entries ...' is set.

I think this is as it should be.
Now I create a subfolder M:\user\aaa\abc. 'abc' gets permissions

Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
Allow | Domain Users (WZB\users) | None         | <Not inherited> | This folder only
Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only
Allow | Otto Aaa (WZB\aaa)       | Full control | M:\user\aaa     | This folder only
Allow | CREATOR OWNER            | Full control | M:\user\aaa     | Subfolders and files only
The flag 'Inherit from the parent the permission entries ...' is set.

This is as it should be again though I wonder why the first 3 rows are not shown as 'inherited'.

Now I add user 'bbb' with read & execute permissions to M:\user\aaa with the extra setting 'this folder only'.
Permissions for M:\user\aaa are now
Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
Allow | Otto Aaa (WZB\aaa)       | Full control | <Not inherited> | This folder only
Allow | Domain Users (WZB\users) | None         | <Not inherited> | This folder only
Allow | Anna Bbb (WZB\bbb)       | Read&Execute | <Not inherited> | This folder only
Allow | CREATOR OWNER            | Full control | <Not inherited> | Subfolders and files only
Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only

Fine again.

Now I create another subfolder M:\user\aaa\xyz
Permissions for M:\user\aaa\xyz go nuts:
Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
Allow | Domain Users (WZB\users) | Full control | <Not inherited> | This folder only
Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only
Allow | root (WZB\root)          | Full control | M:\user\aaa     | This folder only
Allow | CREATOR OWNER            | Full control | M:\user\aaa     | Subfolders and files only

---------------------------------------------------------------------------
Problem 1: 'Domain Users (WZB\users)' get 'Full control' instead of 'None'
Problem 2: 'root (WZB\root)' replaces 'Otto Aaa (WZB\aaa)'.
---------------------------------------------------------------------------

Further observations:
- Problem 2 only occurs if I create folder 'M:\user\aaa\xyz' as an admin user. If I do it as 'aaa', only problem 1 remains.
- Nothing bad happens if user 'bbb' is added to folder 'M:\user\aaa' with 'This folder, subfolders and files'.
- More generally, nothing bad happens, if there is at least one additional user or group in the ACL for 'M:\user\aaa' with 'This folder, subfolders and files', even if user 'bbb' has rights for 'This folder only'.

In the standard log, I found the line
[2009/06/25 16:32:20,  0] smbd/open.c:change_dir_owner_to_parent(255)
  change_dir_owner_to_parent: device/inode/mode on directory user/aaa/abc changed. Refusing to chown !
whenever things went wrong.
Comment 1 Peter Rindfuss 2009-06-25 09:47:27 UTC
Created attachment 4349 [details]
smb.conf
Comment 2 Peter Rindfuss 2009-06-25 09:53:30 UTC
Created attachment 4350 [details]
bug text as attachment
Comment 3 Peter Rindfuss 2009-06-25 10:04:25 UTC
Created attachment 4351 [details]
level 10 dump

The level 10 dump starts after user 'bbb' was added with rights 'read&execute' with 'This folder only' to folder 'M:\user\aaa', but before subfolder 'M:\user\aaa\abc' was created. It covers the creation process of 'abc'.
Comment 4 TAKAHASHI Motonobu 2010-08-22 02:32:57 UTC
Is BUG#7638 same?