Bug 7581 - Users in "admin users" in smb.conf file are unable to read/write all files when the acl_xattr vfs module is used
Summary: Users in "admin users" in smb.conf file are unable to read/write all files wh...
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 3.5.3
Hardware: x86 Linux
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2010-07-22 15:41 UTC by John Mulligan (dead mail address)
Modified: 2010-08-23 04:21 UTC (History)
0 users

See Also:

Fix for 3.5.x. (4.25 KB, patch)
2010-08-12 19:04 UTC, Jeremy Allison
vl: review+

Note You need to log in before you can comment on or make changes to this bug.
Description John Mulligan (dead mail address) 2010-07-22 15:41:09 UTC
Version of Samba: 3.5.3
OS: Fedora 11 with SELinux disabled

Steps to reproduce:

* Set up samba with ads mode and the acl_xattr vfs module used
  for the target share (see config 1). Add user UserB
  (for example "Administrator") in the "admin users" config line.
* UserA creates a file and then changes acls such that only
  UserA is granted read/write access to the file.
* Use windows notepad.exe to write some  text into the file as UserA.
* (On another machine) As UserB navigate to the share and folder
  containing the file.
* As UserB try to open the text file. Access is denied.
* On the samba server, remove the acl_xattr module and restart samba.
* As UserB, try to open the file: access is granted. UserB
  can read and write the file.

* If you reactivate the acl_xattr module access is once again denied.

Notes of interest:

I don't know how valuable this information is, but the admin users do have
the ability to change the acls of the files they cannot open. In addition they
can read the contents of any directory.
Comment 1 Jeremy Allison 2010-08-12 19:04:34 UTC
Created attachment 5903 [details]
Fix for 3.5.x.

Please test and report back on the bug if this fixes your problem.


Comment 2 John Mulligan (dead mail address) 2010-08-17 16:30:51 UTC
Yes the attached patch fixed the problem for me. My tests passed. :-)
Thank you.
Comment 3 Jeremy Allison 2010-08-17 16:42:16 UTC
Comment on attachment 5903 [details]
Fix for 3.5.x.

Volker please check then re-assign to Karolin if you're ok with this for 3.5.x.

It fixes the users problem.

Comment 4 Karolin Seeger 2010-08-23 04:21:49 UTC
Pushed to v3-5-test.
Closing out bug report.