Bug 7163 - "force directory security mode = 2777" does not apply setgid when samba is compiled with acl support
"force directory security mode = 2777" does not apply setgid when samba is co...
Status: NEW
Product: Samba 3.4
Classification: Unclassified
Component: File services
3.4.5
Other Linux
: P3 normal
: ---
Assigned To: Volker Lendecke
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-20 05:55 UTC by Erik Sørnes
Modified: 2010-03-16 23:09 UTC (History)
1 user (show)

See Also:


Attachments
Debug 10 output from samba-3.4.5 with acl support (141.73 KB, application/x-gzip)
2010-02-20 06:07 UTC, Erik Sørnes
no flags Details
Debug 10 output from samba-3.4.5 with acl support (129.35 KB, application/x-gzip)
2010-02-20 06:11 UTC, Erik Sørnes
no flags Details
Debug 10 output from samba-3.4.5 without acl support (149.25 KB, application/x-gzip)
2010-02-20 06:12 UTC, Erik Sørnes
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Sørnes 2010-02-20 05:55:16 UTC
In our corprate environment, we wish to use the setgid-feature in ext3 filesystem together with "force directory security mode" in samba to enforce "rws" on the posix "group-owner", even if the user changes permissions on a file from the native NT security dialog box.

1)These setting work, when we compile samba-3.4.5 with --with-acl-support=no
2)But when we compile samba-3.4.5 with "--with-acl-support=yes", the setgid-bit is not being applied. The other security-bits are however rightfully applied.

I have reproduced the problem on a testserver with minimal configuration. Only the smbd process are running here:

SLES11, x86_64, samba-3.4.5
uname -a
Linux erso-desktop 2.6.27.42-0.1-default #1 SMP 2010-01-06 16:07:25 +0100 x86_64 x86_64 x86_64 GNU/Linux
The filesystem is ext3

The windows-machine I use as client is windows2000 professional sp4

I have installed samba 3.4.5 with acl support to /samba-3.4.5
I have installed samba 3.4.5 without acl support to /samba-3.4-5-noacl
The smb.conf for both installasjons is like this:
 
[global]                                                                  
        server string = Samba fra erso                            
	passdb backend = tdbsam:/samba-3.4.5/private/passdb.tdb
        comment = testsone                                             
        workgroup = testgroup                                                   
        security = server                                                    
        log level = 10   
	max log size = 0
        debug hires timestamp = yes                                       
        debug pid = yes                                                   
        printcap name = /etc/printcap                                          
        disable spoolss = yes                                             
        map to guest = Bad User                                           
        usershare allow guests = No 
        netbios name = testpc                                          
        wins support = No          

[test$]
        comment = testshare
        path=/testshare
        writable=yes
        browsable=yes
        force directory security mode = 2777

getfacl /testshare:
# file: testshare
# owner: root
# group: root
user::rwx
group::rwx
other::rwx
ls -ld /testshare:
drwxrwxrwx 3 root root 4096 Feb 20 12:04 /testshare

I user the testfoler "/testshare/test2", here is getfacl "/testshare/test2" before I access it from windows, using samba with acl-support:

getfacl /testshare/test2:
# file: testshare/test2
# owner: Administrator
# group: gruppetest
user::r--
group::---
other::---
default:user::rwx
default:group::rwx
default:other::rwx
ls -ld /testshare/test2
dr--------+  2 Administrator gruppetest 4096 Feb 20 12:04 test2

Now, I start samba with acl support and debug level 10 and do the following
1) Open \\<ip-of-sambaserver\test$ i explorer.exe on windows2000
2) Select properties of the test2 folder in windows explorer
3) On the security tab, I mark the user "everybody", Select full controll, and click OK.
5) I run getfacl /testshare/test2 and it gives me:
getfacl /testshare/test2:
# file: testshare/test2
# owner: Administrator
# group: gruppetest
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx
ls -ld /testshare/test2:
drwxrwxrwx+ 2 Administrator gruppetest 4096 Feb 20 12:04 /testshare/test2

4) I stop the samba process and upload the debuglog as smb.log.acl

5) I do the _exact_ same procedure as above, but this time I start the samba compiled without acl-support instead

After changing the everyone-permission to full control, as above, I now get:

getfacl /testshare/test2
# file: testshare/test2
# owner: Administrator
# group: gruppetest
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx
ls -ld /testshare/test2
drwxrwsrwx+ 2 Administrator gruppetest 4096 Feb 20 12:04 /testshare/test2

6) I stop the samba process and upload the debuglog as smb.log.noacl

The only difference between the to results are that the setgid-bit is correctly being applied when I compile samba without acl-support.

This is very strange. We have the problem om fileservers with samba 3.4.5, 3.2.7 and I have also reprodused the problem on samba 3.0.37

I can see that I have entered a few home-made debug-entries in the smb.log.acl-logfile, please forgive me for those! (I have tried a little bit of debuggin for my self..). 

-regards
Erik
Comment 1 Erik Sørnes 2010-02-20 06:07:06 UTC
Created attachment 5405 [details]
Debug 10 output from samba-3.4.5 with acl support

Debug 10 output from samba-3.4.5 with acl support while I change the user everyone to full control from windows 2000
Comment 2 Erik Sørnes 2010-02-20 06:11:55 UTC
Created attachment 5406 [details]
Debug 10 output from samba-3.4.5 with acl support

Debug 10 output from samba-3.4.5 with acl support while I change the user everyone to full control from windows 2000

Don't read the obsolete one, it was fram an other, older testrun of smbd
Comment 3 Erik Sørnes 2010-02-20 06:12:55 UTC
Created attachment 5407 [details]
Debug 10 output from samba-3.4.5 without acl support

Debug 10 output from samba-3.4.5 without acl support while I change the user everyone to full control from windows 2000