We have Samba 3.3.6 with ACLs on OpenSuse 11.0 (PDC/BDC with OpenLDAP). Clients are WinXP Pro SP3. Winbindd ist not used. I have noticed some problems with ACLs inheritance. I first saw this with Samba 3.3.5/3.3.6, but I found out it also exists in 3.2.7, our previous version. I think it is serious because it caused a security hole here. I apologize for the lengthy text but I think it is necessary to explain the circumstances. I add it as an attachment to give a chance to better read the ACL tables. Given is a folder M:\user\aaa owned by user 'aaa' with primary group 'users'. Windows advanced ACL editor shows Allow | everyone | None | <Not inherited> | This folder, subfolders and files Allow | Otto Aaa (WZB\aaa) | Full control | <Not inherited> | This folder only Allow | Domain Users (WZB\users) | None | <Not inherited> | This folder only Allow | CREATOR OWNER | Full control | <Not inherited> | Subfolders and files only Allow | CREATOR GROUP | None | <Not inherited> | Subfolders and files only The flag 'Inherit from the parent the permission entries ...' is set. I think this is as it should be. Now I create a subfolder M:\user\aaa\abc. 'abc' gets permissions Allow | everyone | None | <Not inherited> | This folder, subfolders and files Allow | Domain Users (WZB\users) | None | <Not inherited> | This folder only Allow | CREATOR GROUP | None | <Not inherited> | Subfolders and files only Allow | Otto Aaa (WZB\aaa) | Full control | M:\user\aaa | This folder only Allow | CREATOR OWNER | Full control | M:\user\aaa | Subfolders and files only The flag 'Inherit from the parent the permission entries ...' is set. This is as it should be again though I wonder why the first 3 rows are not shown as 'inherited'. Now I add user 'bbb' with read & execute permissions to M:\user\aaa with the extra setting 'this folder only'. Permissions for M:\user\aaa are now Allow | everyone | None | <Not inherited> | This folder, subfolders and files Allow | Otto Aaa (WZB\aaa) | Full control | <Not inherited> | This folder only Allow | Domain Users (WZB\users) | None | <Not inherited> | This folder only Allow | Anna Bbb (WZB\bbb) | Read&Execute | <Not inherited> | This folder only Allow | CREATOR OWNER | Full control | <Not inherited> | Subfolders and files only Allow | CREATOR GROUP | None | <Not inherited> | Subfolders and files only Fine again. Now I create another subfolder M:\user\aaa\xyz Permissions for M:\user\aaa\xyz go nuts: Allow | everyone | None | <Not inherited> | This folder, subfolders and files Allow | Domain Users (WZB\users) | Full control | <Not inherited> | This folder only Allow | CREATOR GROUP | None | <Not inherited> | Subfolders and files only Allow | root (WZB\root) | Full control | M:\user\aaa | This folder only Allow | CREATOR OWNER | Full control | M:\user\aaa | Subfolders and files only --------------------------------------------------------------------------- Problem 1: 'Domain Users (WZB\users)' get 'Full control' instead of 'None' Problem 2: 'root (WZB\root)' replaces 'Otto Aaa (WZB\aaa)'. --------------------------------------------------------------------------- Further observations: - Problem 2 only occurs if I create folder 'M:\user\aaa\xyz' as an admin user. If I do it as 'aaa', only problem 1 remains. - Nothing bad happens if user 'bbb' is added to folder 'M:\user\aaa' with 'This folder, subfolders and files'. - More generally, nothing bad happens, if there is at least one additional user or group in the ACL for 'M:\user\aaa' with 'This folder, subfolders and files', even if user 'bbb' has rights for 'This folder only'. In the standard log, I found the line [2009/06/25 16:32:20, 0] smbd/open.c:change_dir_owner_to_parent(255) change_dir_owner_to_parent: device/inode/mode on directory user/aaa/abc changed. Refusing to chown ! whenever things went wrong.
Created attachment 4349 [details] smb.conf
Created attachment 4350 [details] bug text as attachment
Created attachment 4351 [details] level 10 dump The level 10 dump starts after user 'bbb' was added with rights 'read&execute' with 'This folder only' to folder 'M:\user\aaa', but before subfolder 'M:\user\aaa\abc' was created. It covers the creation process of 'abc'.
Is BUG#7638 same?
*** This bug has been marked as a duplicate of bug 7638 ***