Bug 6877 - enhancement: acl_xattr module default acls created in default_file_sd
enhancement: acl_xattr module default acls created in default_file_sd
Status: NEW
Product: Samba 3.4
Classification: Unclassified
Component: VFS Modules
Other Windows XP
: P3 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2009-11-08 18:50 UTC by Barry Sabsevitz
Modified: 2012-05-23 22:01 UTC (History)
2 users (show)

See Also:

Proposed/untested patch for a suggested change to default_file_sd() (4.67 KB, patch)
2009-11-23 15:22 UTC, Barry Sabsevitz
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Barry Sabsevitz 2009-11-08 18:50:52 UTC
We were thinking a good enhancement to the acl_xattr module might be to have the default acls created in default_file_sd() to be created as:

Primary Owner -> ALL ACCESS RIGHTS
Primary Group -> Read/Execute if a folder, Read if a file
Everyone -> Read

instead of what it does now where it creates the ACLs as:

Primary Owner -> ALL ACCESS RIGHTS

If you think this is a resonable change, I can cut a patch for this. We think the suggested ACLs in this defect are more inline with what one might expect when folders or files are created on Windows.
Comment 1 Jeremy Allison 2009-11-20 16:34:57 UTC
It's an interesting idea. Can I see the patch you propose please ?
Comment 2 Barry Sabsevitz 2009-11-20 17:15:51 UTC
Sure. I'll upload as soon as I can.
Comment 3 Barry Sabsevitz 2009-11-23 15:20:40 UTC
Hey Jeremy, here is a proposed patch. This patch may not be 100% as I haven't tried it, but it gives you the idea for what we are proposing. One thing that I still need to improve is that I use the force_inherit flag to determine whether it is a folder or file that we are dealing with when determining whether it should have READ or READ/EXECUTE rights for the Primary group. But in reality this is not the right way to determine this as force_inherit could be 0 but we could still be dealing with a folder (i.e. if the samba share itself has ACLs on it and they are not marked as inheritable). But this will give you an idea of what we are proposing.
Comment 4 Barry Sabsevitz 2009-11-23 15:22:03 UTC
Created attachment 4986 [details]
Proposed/untested patch for a suggested change to default_file_sd()

A proposed untested patch where we were thinking default_file_sd() could use Primary Owner, Primary Group and Everyone instead of Primary Owner and System for it's ACLs.
Comment 5 Jeremy Allison 2009-12-02 16:13:18 UTC
Ok, I've been doing a lot of work in this area - and what I've decided to do is to fall back to using the representation of the underlying file system permission on new files/directories - if the parent ACL has no inheritable components.

This doesn't match Windows so it will not pass the smbtorture4 test, but it's what people will expect.

I'm testing the fix now.