Bug 6878 - Cannot change ACL's inherit flag
Cannot change ACL's inherit flag
Status: RESOLVED FIXED
Product: Samba 3.4
Classification: Unclassified
Component: File services
3.4.3
All Linux
: P3 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-08 22:24 UTC by Tsukasa HAMANO
Modified: 2011-10-05 09:08 UTC (History)
2 users (show)

See Also:


Attachments
Patch for 3.4.3 (3.08 KB, patch)
2009-11-08 22:31 UTC, Tsukasa HAMANO
no flags Details
Patch for master and 3.5.0 (9.09 KB, patch)
2009-11-11 12:54 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tsukasa HAMANO 2009-11-08 22:24:29 UTC
There is directory as follows:

 % getfacl dir/
# file: dir
# owner: test
# group: Domain\040Users
user::rwx
group::r-x
other::r-x

 % smbcacls //SERVER/test dir -U test%PASS
REVISION:1
OWNER:DOMAIN\test
GROUP:DOMAIN\Domain Users
ACL:DOMAIN\test:ALLOWED/0/FULL
ACL:DOMAIN\Domain Users:ALLOWED/0/READ
ACL:\Everyone:ALLOWED/0/READ

Next, change owner's "Apply to" to "This folder, subfolders and files".
We can perform as follows:
 % smbcacls //SERVER/test dir -U test%PASS -a 'ACL:DOMAIN\test:ALLOWED/3/FULL'

Now, we can see ACL as follows.
 % getfacl dir/
# file: dir
# owner: test
# group: Domain\040Users
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::---
default:other::---

 % smbcacls //SERVER/test dir -U test%PASSWORD
REVISION:1
OWNER:DOMAIN\test
GROUP:DOMAIN\Domain Users
ACL:DOMAIN\test:ALLOWED/0/FULL
ACL:DOMAIN\Domain Users:ALLOWED/0/READ
ACL:\Everyone:ALLOWED/0/READ
ACL:\Creator Owner:ALLOWED/11/FULL
ACL:\Creator Group:ALLOWED/11/
ACL:\Everyone:ALLOWED/11/

The ACL include "Creator Owner" and "Creator Group", but owner's ACE inherit flag is unchanged.
owner's ACE inherit flag should be 3.
and It should contain named default ACE as follows:
 % getfacl dir/
# file: dir
# owner: test
# group: Domain\040Users                                                        
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:test:rwx
default:group::---
default:mask::rwx
default:other::---
Comment 1 Tsukasa HAMANO 2009-11-08 22:31:56 UTC
Created attachment 4932 [details]
Patch for 3.4.3
Comment 2 Jeremy Allison 2009-11-09 19:32:10 UTC
This looks correct to me. I'm going to do some more testing and if everything passes commit tomorrow.
Thanks !
Jeremy.
Comment 3 Jeremy Allison 2009-11-11 12:54:46 UTC
Created attachment 4951 [details]
Patch for master and 3.5.0

This is the patch I'm going to apply for master and 3.5.0. It's based on your patch, but expands on it quite a bit. Your bug report was really good and pointed out the underlying problem in the POSIX ACL mapping. I'm not going to put this in 3.4.x as it's too invasive a change for the stable series - but I'm hoping you can test this for the 3.5.x release.

Thanks !

Jeremy.
Comment 4 Debian samba package maintainers (PUBLIC MAILING LIST) 2010-01-28 03:00:05 UTC
We had http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567095 for this. Jeremy, from the bug log and 3.5.0, it seems that the fix you proposed wasn't pushed to 3.5.0. Can you confirm?

Christian Perrier
Comment 5 Jeremy Allison 2010-01-28 12:48:41 UTC
Christian this is incorrect. The fix is in the v3-5-stable git tree when I check it out. Can you check what you're building from ?
Jeremy.
Comment 6 Debian samba package maintainers (PUBLIC MAILING LIST) 2010-01-30 11:02:53 UTC
To Jeremy: fine. I actually didn't check the code but was referring to the bug history and WHATSNEW.txt files from 3.5.0 versions where I didn't find any reference to bug #6878.

Having the mark still marked as assigned and not fixed was also confusing. I assume that it should indeed be closed. 

One of our users reported this bug against 3.2.5 and I was actually wondering whether we can backport it (the issue seems to be annoying enough). That doesn't seem completely straightforward, though.

Christian
Comment 7 Björn Jacke 2011-05-30 13:00:37 UTC
in 3.5 this was fixed by cdcd4da33e2d2 in Nov. 2009. As of comment 3 a backport would be too invasive.

Closing as fixed as it should be fixed in 3.5.