Bug 6917 - File server: insists on having "inherit from parent" set even when unselected
File server: insists on having "inherit from parent" set even when unselected
Status: REOPENED
Product: Samba 4.0
Classification: Unclassified
Component: File services
unspecified
Other Linux
: P3 normal
: ---
Assigned To: Andrew Tridgell
samba4-qa@samba.org
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-23 02:27 UTC by Matthieu Patou
Modified: 2011-02-09 13:01 UTC (History)
1 user (show)

See Also:


Attachments
Level 10 debug log during uninherit, copy and apply of ACLs on a file (139.33 KB, text/plain)
2010-04-02 08:39 UTC, Roel van Meer
no flags Details
Level 10 debug log during uninherit, copy, edit and apply of ACLs on a file (117.63 KB, text/plain)
2010-04-02 08:40 UTC, Roel van Meer
no flags Details
Output of testparm -sv (8.55 KB, application/octet-stream)
2010-04-02 08:48 UTC, Roel van Meer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-11-23 02:27:47 UTC
This bug do not let you remove the option "inherit from parent" if the permission are the same as the permission of the parent.

To reproduce the bug:

* create a folder
* right click on it properties -> Security
* All ACL are inherited by default from parent directory (unless parent directory has no real NT ACL)
* click advanced 
* uncheck "inherit from parent" 
* click apply and see the check for inherit reappear
Comment 1 Matthias Dieter Wallnöfer 2010-03-08 04:33:22 UTC
Reassign file server related bugs up to tridge.
Comment 2 Roel van Meer 2010-04-01 07:03:35 UTC
I can reproduce this with 3.5.1 as well.
Comment 3 Roel van Meer 2010-04-02 08:17:37 UTC
Adding information here since it seems to be the same bug.

ACL inheritance cannot be disabled if the ACLs on the current object are identical to the ACLs of the parent object. If they are different from the ACLs of the parent object, inheritance _can_ be disabled.
Comment 4 Roel van Meer 2010-04-02 08:39:35 UTC
Created attachment 5588 [details]
Level 10 debug log during uninherit, copy and apply of ACLs on a file

This is a level 10 debug log during manipulation of ACLs with the windows XP security editor. Actions were:
- Uncheck "Inherit ACLs" checkbox
- Answer "Copy" to the popup with the question about what to do with the permission entries (from choices Copy|Remove|Cancel)
--> The "Inherit ACLs" checkbox is now unchecked
- Click "Apply"
--> The "Inherit ACLs" checkbox is now checked again
Comment 5 Roel van Meer 2010-04-02 08:40:43 UTC
Created attachment 5589 [details]
Level 10 debug log during uninherit, copy, edit and apply of ACLs on a file

This is a level 10 debug log during manipulation of ACLs with the windows XP security editor. Actions were:
- Uncheck "Inherit ACLs" checkbox
- Answer "Copy" to the popup with the question about what to do with the permission entries (from choices Copy|Remove|Cancel)
--> The "Inherit ACLs" checkbox is now unchecked
- Edit one of the ACLs, change "Full Control" into something else
- Click "Apply"
--> The "Inherit ACLs" checkbox remains unchecked
Comment 6 Roel van Meer 2010-04-02 08:43:41 UTC
Surprisingly, if you have uninherited ACL's and you change them so they are identical to the ACL's of the parent object, the Inheritance checkbox gets checked again.
Comment 7 Roel van Meer 2010-04-02 08:48:36 UTC
Created attachment 5590 [details]
Output of testparm -sv

Samba configuration (3.5.1)
Comment 8 Matthias Dieter Wallnöfer 2010-11-21 05:04:57 UTC
ekacnet, I've tried to reproduce this - and well, this is not a bug.

Samba 4 has the following code in "pvfs_acl_set":
>        /* we avoid saving if the sd is the same. This means when clients
>           copy files and end up copying the default sd that we don't
>           needlessly use xattrs */
>        if (!security_descriptor_equal(sd, &orig_sd) && pvfs->acl_ops) {
>                status = pvfs->acl_ops->acl_save(pvfs, name, fd, sd);
>        }

That means the following: if you just untick the flag "inherited from parent" and click on "Ok" or "Apply" the old and the new SDs are still the same and this won't be saved as the comment states.

But if you untick and change the descriptor and then click "Okay" the SD will be duplicated, changed and the inheritance removed.

So no bug here - s4 just doesn't want to waste space for duplicated SDs.
Comment 9 Matthieu Patou 2010-11-21 05:19:02 UTC
Matthias,

Have we checked the behavior on a windows with a windows server ?
And sorry to say it, it's a bug as I'm pretty sure that windows don't do this and we can face the problem in this particular test case:

we have \\server\share\dir1\dir2

dir2 inherit the acls from dir1, let's suppose that the admin wants to change the acls of dir1 but not on dir2 and start by making them non inheritable on dir2 then change them on dir1.

If we implicitly re-set the acls to be inheritable, then when you change the acls on dir1, acls on dir2 will be changed if you unset inheritable then even if at a given moment acls on dir1 and dir2 are the same when you change dir1, dir2 won't be changed
Comment 10 Matthias Dieter Wallnöfer 2010-11-21 06:29:01 UTC
Then please try to comment out the mentioned "if" and let always the "acl_save" command to be executed. I bet that it starts working as expected.
Comment 11 Roel van Meer 2010-11-22 04:06:50 UTC
Hi Matthias,

I can reproduce this with 3.5.x as well. Please let me know if you want a separate bug report for this problem in samba3.

Regards,

roel

Comment 12 Jeremy Allison 2010-11-22 11:23:22 UTC
Yes please (for the 3.5.6 bug). Note I'll probably ask you to test with the new jumbo-acl patch that will be in 3.5.7 to see if this is fixed.
Jeremy.
Comment 13 Roel van Meer 2010-11-23 06:05:21 UTC
Opened a new bug for the same issue in samba3: https://bugzilla.samba.org/show_bug.cgi?id=7812