6507 – change_dir_owner_to_parent: acl inheritance bug

Bug 6507 - change_dir_owner_to_parent: acl inheritance bug

Summary: change_dir_owner_to_parent: acl inheritance bug

Status:	RESOLVED DUPLICATE of bug 7638

Alias:	None

Product:	Samba 3.3
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	3.3.5
Hardware:	x64 Windows XP

Importance:	P3 major
Target Milestone:	---
Assignee:	Volker Lendecke
QA Contact:	Samba QA Contact

URL:	http://www.wzb.eu
Keywords:

Depends on:
Blocks:

Reported:	2009-06-25 09:44 UTC by Peter Rindfuss
Modified:	2018-03-31 14:14 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
smb.conf (2.17 KB, application/octet-stream) 2009-06-25 09:47 UTC, Peter Rindfuss	no flags	Details
bug text as attachment (4.11 KB, text/plain) 2009-06-25 09:53 UTC, Peter Rindfuss	no flags	Details
level 10 dump (70.39 KB, application/octet-stream) 2009-06-25 10:04 UTC, Peter Rindfuss	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Rindfuss 2009-06-25 09:44:36 UTC

We have Samba 3.3.6 with ACLs on OpenSuse 11.0 (PDC/BDC with OpenLDAP).
Clients are WinXP Pro SP3. Winbindd ist not used.


I have noticed some problems with ACLs inheritance. I first saw this with Samba 3.3.5/3.3.6, but I found out it also exists in 3.2.7, our previous version. I think it is serious because it caused a security hole here.

I apologize for the lengthy text but I think it is necessary to explain the circumstances. I add it as an attachment to give a chance to better read the ACL tables.


Given is a folder M:\user\aaa owned by user 'aaa' with primary group 'users'. Windows advanced ACL editor shows

Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
Allow | Otto Aaa (WZB\aaa)       | Full control | <Not inherited> | This folder only
Allow | Domain Users (WZB\users) | None         | <Not inherited> | This folder only
Allow | CREATOR OWNER            | Full control | <Not inherited> | Subfolders and files only
Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only
The flag 'Inherit from the parent the permission entries ...' is set.

I think this is as it should be.
Now I create a subfolder M:\user\aaa\abc. 'abc' gets permissions

Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
Allow | Domain Users (WZB\users) | None         | <Not inherited> | This folder only
Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only
Allow | Otto Aaa (WZB\aaa)       | Full control | M:\user\aaa     | This folder only
Allow | CREATOR OWNER            | Full control | M:\user\aaa     | Subfolders and files only
The flag 'Inherit from the parent the permission entries ...' is set.

This is as it should be again though I wonder why the first 3 rows are not shown as 'inherited'.

Now I add user 'bbb' with read & execute permissions to M:\user\aaa with the extra setting 'this folder only'.
Permissions for M:\user\aaa are now
Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
Allow | Otto Aaa (WZB\aaa)       | Full control | <Not inherited> | This folder only
Allow | Domain Users (WZB\users) | None         | <Not inherited> | This folder only
Allow | Anna Bbb (WZB\bbb)       | Read&Execute | <Not inherited> | This folder only
Allow | CREATOR OWNER            | Full control | <Not inherited> | Subfolders and files only
Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only

Fine again.

Now I create another subfolder M:\user\aaa\xyz
Permissions for M:\user\aaa\xyz go nuts:
Allow | everyone                 | None         | <Not inherited> | This folder, subfolders and files
Allow | Domain Users (WZB\users) | Full control | <Not inherited> | This folder only
Allow | CREATOR GROUP            | None         | <Not inherited> | Subfolders and files only
Allow | root (WZB\root)          | Full control | M:\user\aaa     | This folder only
Allow | CREATOR OWNER            | Full control | M:\user\aaa     | Subfolders and files only

---------------------------------------------------------------------------
Problem 1: 'Domain Users (WZB\users)' get 'Full control' instead of 'None'
Problem 2: 'root (WZB\root)' replaces 'Otto Aaa (WZB\aaa)'.
---------------------------------------------------------------------------

Further observations:
- Problem 2 only occurs if I create folder 'M:\user\aaa\xyz' as an admin user. If I do it as 'aaa', only problem 1 remains.
- Nothing bad happens if user 'bbb' is added to folder 'M:\user\aaa' with 'This folder, subfolders and files'.
- More generally, nothing bad happens, if there is at least one additional user or group in the ACL for 'M:\user\aaa' with 'This folder, subfolders and files', even if user 'bbb' has rights for 'This folder only'.

In the standard log, I found the line
[2009/06/25 16:32:20,  0] smbd/open.c:change_dir_owner_to_parent(255)
  change_dir_owner_to_parent: device/inode/mode on directory user/aaa/abc changed. Refusing to chown !
whenever things went wrong.

Comment 1 Peter Rindfuss 2009-06-25 09:47:27 UTC

Created attachment 4349 [details]
smb.conf

Comment 2 Peter Rindfuss 2009-06-25 09:53:30 UTC

Created attachment 4350 [details]
bug text as attachment

Comment 3 Peter Rindfuss 2009-06-25 10:04:25 UTC

Created attachment 4351 [details]
level 10 dump

The level 10 dump starts after user 'bbb' was added with rights 'read&execute' with 'This folder only' to folder 'M:\user\aaa', but before subfolder 'M:\user\aaa\abc' was created. It covers the creation process of 'abc'.

Comment 4 TAKAHASHI Motonobu 2010-08-22 02:32:57 UTC

Is BUG#7638 same?

Comment 5 Björn Jacke 2018-03-31 14:14:07 UTC


*** This bug has been marked as a duplicate of bug 7638 ***