We were thinking a good enhancement to the acl_xattr module might be to have the default acls created in default_file_sd() to be created as: Primary Owner -> ALL ACCESS RIGHTS Primary Group -> Read/Execute if a folder, Read if a file Everyone -> Read instead of what it does now where it creates the ACLs as: Primary Owner -> ALL ACCESS RIGHTS System -> ALL ACCESS RIGHTS If you think this is a resonable change, I can cut a patch for this. We think the suggested ACLs in this defect are more inline with what one might expect when folders or files are created on Windows.
It's an interesting idea. Can I see the patch you propose please ? Jeremy.
Sure. I'll upload as soon as I can.
Hey Jeremy, here is a proposed patch. This patch may not be 100% as I haven't tried it, but it gives you the idea for what we are proposing. One thing that I still need to improve is that I use the force_inherit flag to determine whether it is a folder or file that we are dealing with when determining whether it should have READ or READ/EXECUTE rights for the Primary group. But in reality this is not the right way to determine this as force_inherit could be 0 but we could still be dealing with a folder (i.e. if the samba share itself has ACLs on it and they are not marked as inheritable). But this will give you an idea of what we are proposing.
Created attachment 4986 [details] Proposed/untested patch for a suggested change to default_file_sd() A proposed untested patch where we were thinking default_file_sd() could use Primary Owner, Primary Group and Everyone instead of Primary Owner and System for it's ACLs.
Ok, I've been doing a lot of work in this area - and what I've decided to do is to fall back to using the representation of the underlying file system permission on new files/directories - if the parent ACL has no inheritable components. This doesn't match Windows so it will not pass the smbtorture4 test, but it's what people will expect. I'm testing the fix now. Jeremy.
Jeremy, did the fix that you mentioned go upstream ? I don't find this bug referented in any commit message. If it's fixed, please also close this bug report. (cross reference: bug 8963 is describing problems that we have because of the non-windows-confoming acl creation when no inheritable components exist, especially systems with NFS4 ACLs run into problems here because those generate unordered ACLs then. bug 14653 describes the problem of unorderes ACLs)