Bug 6938 - No hook exists to check creation rights when using acl_xattr module
Summary: No hook exists to check creation rights when using acl_xattr module
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 3.4.1
Hardware: Other Windows XP
: P3 normal
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
Depends on:
Reported: 2009-11-29 19:36 UTC by Barry Sabsevitz (mail address dead)
Modified: 2011-04-08 15:54 UTC (History)
2 users (show)

See Also:

Patch that went into master (5.70 KB, patch)
2009-12-01 11:42 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Barry Sabsevitz (mail address dead) 2009-11-29 19:36:51 UTC
If a POSIX ACL ends up on a folder with "RW" mode for a group, any user in that group can now create files or folders even though they may not have the Windows Native NT rights to do so. This occurs when using the acl_xattr module.

I don't believe there are any hooks in Samba to invoke the acl_xattr module to verify create rights when creating a file in a folder. It looks like Samba will check the POSIX ACLs (because Linux will disallow creates if the samba daemon doesn't have the rights to create a file when it impersonates the user) but there doesn't seem to be any invocation that checks the Native NT ACLs on a create operation.

To reproduce:
1. Create  a group in AD Server ( sambatg).
2. Create 2 users  sambag1 and sambac1 and make them as a member of sambatg group.
3. Login as sambac1 user and create a folder. Provide read / write files permissions to the sambatg group but don't provide Create subfiles or subfolders permissions to that group. Change any other ACLs that may exist so that the ONLY ACLs that exist on this folder are:
     sambac1 -> Full access rights
     sambatg -> read/write file rights but don't give it create subfile or create subfolder rights.
4. Login as sambag1 user and create a folder under the folder created in
step 4.

You will find that although the user sambag1 does not have rights to create a file or subfolder (no rights exist for user sambag1 at all and the group it belongs to does not have create file or create subfolder rights) the operation 
succeeds because a POSIX ACL is set on the folder for the group sambatg as "RW".

There doesn't seem to be any checks for create rights within Samba. Because the POSIX ACL is set to "RW", the create operation is allowed even though the lack of Native NT ACLs should cause it to fail.

An easy way to fix this would be to modify the create (open) code path in the acl_xattr module to check the parent directory/folder for valid rights before allowing this create request to succeed.

Samba does have special checks when a file or folder is being deleted but no such checks seem to exist for the creation of a file or folder.
Comment 1 Jeremy Allison 2009-11-29 23:35:00 UTC
Yes this is correct. The underlying POSIX permissions are the only ones checked on create/mkdir. I'll look into adding this hook inside the acl modules.
Comment 2 Jeremy Allison 2009-11-30 15:43:21 UTC
We also need to check for SEC_DIR_LIST on opendir() as well. I'm preparing a patch for this for 3.5.0 and master (and will investigate a back-port for 3.4.4).
Comment 3 Jeremy Allison 2009-12-01 11:42:17 UTC
Created attachment 5034 [details]
Patch that went into master

This is what went into master. I'll look into making this work for 3.4.x.