Bug 6961 - Posix ACLs implementation in Samba breaks ACL inheritance
Posix ACLs implementation in Samba breaks ACL inheritance
Status: RESOLVED FIXED
Product: Samba 3.4
Classification: Unclassified
Component: VFS Modules
3.4.1
Other Windows XP
: P3 normal
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-03 01:14 UTC by Barry Sabsevitz
Modified: 2010-10-09 04:57 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Barry Sabsevitz 2009-12-03 01:14:57 UTC
While testing Samba 3.4.1 using the acl_xattr module, I found the following problem:

If you do the following:

1. Login to Samba Share as user 1
2. Create a folder called f1
3. Give full access rights to user 2 on folder f1.
4. Login to Samba Share as user 2
5. Create a folder underneath f1 (f1/f2).
6. Login to Samba Share as user 1
7. you will be unable to create any files or folders underneath f1/f2 even though f1/f2 has full access rights for user 1.

The reason for this is although Native NT ACL inheritance is working properly, i.e. f1/f2 inherits the ACL that gives user 1 full access rights from f1, no POSIX ACL is ever created on f1/f2 for user 1. This means that although it looks like user 1 has full access rights, he/she in fact can't do certain operations because the POSIX ACL is not present. The permissions on f1/f2 are:
drwxrwxr--+ 3 user2 domain admins 0 Dec  2 23:02 f2

The POSIX ACLs are (via getfacl call):
# owner: user2
# group: domain\040admins
user::rwx
user:user2:rwx
group::r-x
mask::rwx
other::r--
default:user::rwx
default:user:user2:rwx
default:group::r-x
default:mask::rwx
default:other::r--

So all create operations are disallowed because the POSIX ACL was never created. Samba needs to set the appropriate POSIX ACL for anything that inherits NT ACLs.
Comment 1 Jeremy Allison 2009-12-04 19:05:08 UTC
Refactoring the VFS interface to fix this for 3.5.x.
Jeremy.
Comment 2 Björn Jacke 2010-10-09 04:57:31 UTC
should be fixed in 3.5, if not, please reopen. Thanks for reporting!