7163 – "force directory security mode = 2777" does not apply setgid when samba is compiled with acl support

Bug 7163 - "force directory security mode = 2777" does not apply setgid when samba is compiled with acl support

Summary: "force directory security mode = 2777" does not apply setgid when samba is co...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Samba 3.4
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	3.4.5
Hardware:	Other Linux

Importance:	P3 normal
Target Milestone:	---
Assignee:	Volker Lendecke
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-02-20 05:55 UTC by Erik Sørnes
Modified:	2020-11-16 09:32 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Debug 10 output from samba-3.4.5 with acl support (141.73 KB, application/x-gzip) 2010-02-20 06:07 UTC, Erik Sørnes	no flags	Details
Debug 10 output from samba-3.4.5 with acl support (129.35 KB, application/x-gzip) 2010-02-20 06:11 UTC, Erik Sørnes	no flags	Details
Debug 10 output from samba-3.4.5 without acl support (149.25 KB, application/x-gzip) 2010-02-20 06:12 UTC, Erik Sørnes	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Sørnes 2010-02-20 05:55:16 UTC

In our corprate environment, we wish to use the setgid-feature in ext3 filesystem together with "force directory security mode" in samba to enforce "rws" on the posix "group-owner", even if the user changes permissions on a file from the native NT security dialog box.

1)These setting work, when we compile samba-3.4.5 with --with-acl-support=no
2)But when we compile samba-3.4.5 with "--with-acl-support=yes", the setgid-bit is not being applied. The other security-bits are however rightfully applied.

I have reproduced the problem on a testserver with minimal configuration. Only the smbd process are running here:

SLES11, x86_64, samba-3.4.5
uname -a
Linux erso-desktop 2.6.27.42-0.1-default #1 SMP 2010-01-06 16:07:25 +0100 x86_64 x86_64 x86_64 GNU/Linux
The filesystem is ext3

The windows-machine I use as client is windows2000 professional sp4

I have installed samba 3.4.5 with acl support to /samba-3.4.5
I have installed samba 3.4.5 without acl support to /samba-3.4-5-noacl
The smb.conf for both installasjons is like this:
 
[global]                                                                  
        server string = Samba fra erso                            
	passdb backend = tdbsam:/samba-3.4.5/private/passdb.tdb
        comment = testsone                                             
        workgroup = testgroup                                                   
        security = server                                                    
        log level = 10   
	max log size = 0
        debug hires timestamp = yes                                       
        debug pid = yes                                                   
        printcap name = /etc/printcap                                          
        disable spoolss = yes                                             
        map to guest = Bad User                                           
        usershare allow guests = No 
        netbios name = testpc                                          
        wins support = No          

[test$]
        comment = testshare
        path=/testshare
        writable=yes
        browsable=yes
        force directory security mode = 2777

getfacl /testshare:
# file: testshare
# owner: root
# group: root
user::rwx
group::rwx
other::rwx
ls -ld /testshare:
drwxrwxrwx 3 root root 4096 Feb 20 12:04 /testshare

I user the testfoler "/testshare/test2", here is getfacl "/testshare/test2" before I access it from windows, using samba with acl-support:

getfacl /testshare/test2:
# file: testshare/test2
# owner: Administrator
# group: gruppetest
user::r--
group::---
other::---
default:user::rwx
default:group::rwx
default:other::rwx
ls -ld /testshare/test2
dr--------+  2 Administrator gruppetest 4096 Feb 20 12:04 test2

Now, I start samba with acl support and debug level 10 and do the following
1) Open \\<ip-of-sambaserver\test$ i explorer.exe on windows2000
2) Select properties of the test2 folder in windows explorer
3) On the security tab, I mark the user "everybody", Select full controll, and click OK.
5) I run getfacl /testshare/test2 and it gives me:
getfacl /testshare/test2:
# file: testshare/test2
# owner: Administrator
# group: gruppetest
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx
ls -ld /testshare/test2:
drwxrwxrwx+ 2 Administrator gruppetest 4096 Feb 20 12:04 /testshare/test2

4) I stop the samba process and upload the debuglog as smb.log.acl

5) I do the _exact_ same procedure as above, but this time I start the samba compiled without acl-support instead

After changing the everyone-permission to full control, as above, I now get:

getfacl /testshare/test2
# file: testshare/test2
# owner: Administrator
# group: gruppetest
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx
ls -ld /testshare/test2
drwxrwsrwx+ 2 Administrator gruppetest 4096 Feb 20 12:04 /testshare/test2

6) I stop the samba process and upload the debuglog as smb.log.noacl

The only difference between the to results are that the setgid-bit is correctly being applied when I compile samba without acl-support.

This is very strange. We have the problem om fileservers with samba 3.4.5, 3.2.7 and I have also reprodused the problem on samba 3.0.37

I can see that I have entered a few home-made debug-entries in the smb.log.acl-logfile, please forgive me for those! (I have tried a little bit of debuggin for my self..). 

-regards
Erik

Comment 1 Erik Sørnes 2010-02-20 06:07:06 UTC

Created attachment 5405 [details]
Debug 10 output from samba-3.4.5 with acl support

Debug 10 output from samba-3.4.5 with acl support while I change the user everyone to full control from windows 2000

Comment 2 Erik Sørnes 2010-02-20 06:11:55 UTC

Created attachment 5406 [details]
Debug 10 output from samba-3.4.5 with acl support

Debug 10 output from samba-3.4.5 with acl support while I change the user everyone to full control from windows 2000

Don't read the obsolete one, it was fram an other, older testrun of smbd

Comment 3 Erik Sørnes 2010-02-20 06:12:55 UTC

Created attachment 5407 [details]
Debug 10 output from samba-3.4.5 without acl support

Debug 10 output from samba-3.4.5 without acl support while I change the user everyone to full control from windows 2000

Comment 4 Björn Jacke 2020-11-16 09:32:06 UTC

can you test again with a recent samba version, please, and see if this is still an issue for you? You should also check out the "acl group control" and "inherit owner" parameters actually. I think with the right combination of those it will work.