Bug 6877 - enhancement: acl_xattr module default acls created in default_file_sd
Summary: enhancement: acl_xattr module default acls created in default_file_sd
Status: NEW
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 3.4.1
Hardware: Other Windows XP
: P3 normal
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
Depends on:
Reported: 2009-11-08 18:50 UTC by Barry Sabsevitz (mail address dead)
Modified: 2021-03-07 16:30 UTC (History)
4 users (show)

See Also:

Proposed/untested patch for a suggested change to default_file_sd() (4.67 KB, patch)
2009-11-23 15:22 UTC, Barry Sabsevitz (mail address dead)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Barry Sabsevitz (mail address dead) 2009-11-08 18:50:52 UTC
We were thinking a good enhancement to the acl_xattr module might be to have the default acls created in default_file_sd() to be created as:

Primary Owner -> ALL ACCESS RIGHTS
Primary Group -> Read/Execute if a folder, Read if a file
Everyone -> Read

instead of what it does now where it creates the ACLs as:

Primary Owner -> ALL ACCESS RIGHTS

If you think this is a resonable change, I can cut a patch for this. We think the suggested ACLs in this defect are more inline with what one might expect when folders or files are created on Windows.
Comment 1 Jeremy Allison 2009-11-20 16:34:57 UTC
It's an interesting idea. Can I see the patch you propose please ?
Comment 2 Barry Sabsevitz (mail address dead) 2009-11-20 17:15:51 UTC
Sure. I'll upload as soon as I can.
Comment 3 Barry Sabsevitz (mail address dead) 2009-11-23 15:20:40 UTC
Hey Jeremy, here is a proposed patch. This patch may not be 100% as I haven't tried it, but it gives you the idea for what we are proposing. One thing that I still need to improve is that I use the force_inherit flag to determine whether it is a folder or file that we are dealing with when determining whether it should have READ or READ/EXECUTE rights for the Primary group. But in reality this is not the right way to determine this as force_inherit could be 0 but we could still be dealing with a folder (i.e. if the samba share itself has ACLs on it and they are not marked as inheritable). But this will give you an idea of what we are proposing.
Comment 4 Barry Sabsevitz (mail address dead) 2009-11-23 15:22:03 UTC
Created attachment 4986 [details]
Proposed/untested patch for a suggested change to default_file_sd()

A proposed untested patch where we were thinking default_file_sd() could use Primary Owner, Primary Group and Everyone instead of Primary Owner and System for it's ACLs.
Comment 5 Jeremy Allison 2009-12-02 16:13:18 UTC
Ok, I've been doing a lot of work in this area - and what I've decided to do is to fall back to using the representation of the underlying file system permission on new files/directories - if the parent ACL has no inheritable components.

This doesn't match Windows so it will not pass the smbtorture4 test, but it's what people will expect.

I'm testing the fix now.

Comment 6 Björn Jacke 2021-03-07 16:27:48 UTC
Jeremy, did the fix that you mentioned go upstream ? I don't find this bug referented in any commit message. If it's fixed, please also close this bug report.

(cross reference: bug 8963 is describing problems that we have because of the non-windows-confoming acl creation when no inheritable components exist, especially systems with NFS4 ACLs run into problems here because those generate unordered ACLs then. bug 14653 describes the problem of unorderes ACLs)