Bug 8442 - NFSv4 DENY ACLs always include SYNCHRONIZE flag - blocking renames.
Summary: NFSv4 DENY ACLs always include SYNCHRONIZE flag - blocking renames.
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.6.0
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 8399
  Show dependency treegraph
 
Reported: 2011-09-07 18:59 UTC by Jeremy Allison
Modified: 2012-06-07 08:06 UTC (History)
1 user (show)

See Also:


Attachments
git-am fix for 3.6.1 (2.71 KB, patch)
2011-09-08 05:25 UTC, Jeremy Allison
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2011-09-07 18:59:33 UTC
The bugfix for bug https://bugzilla.samba.org/show_bug.cgi?id=7909 unconditionally adds the SYNCHRONIZE flag to an ace mask. This should only be done for ALLOW ace entries, not for DENY entries.

Reported by Youzhong Yang, fix to follow.

Jeremy.
Comment 1 Jeremy Allison 2011-09-07 19:15:23 UTC
Consider the following directory NFSv4 ACL:

drwxrwxrwx   2 XXX XXX      13 Aug 31 09:52 filename
     0:owner@::deny
     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     2:group@::deny
     3:group@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/execute:allow
     4:everyone@:write_xattr/write_attributes/write_acl/write_owner:deny
     5:everyone@:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow

When we process the owner@::deny and group@::deny entries we add in the SMB_ACE4_SYNCHRONIZE bit to the mask, which we should not do.
Comment 2 Jeremy Allison 2011-09-08 05:25:08 UTC
Created attachment 6866 [details]
git-am fix for 3.6.1

Fairly simple couple of patches to fix this.
Jeremy.
Comment 3 Stefan Metzmacher 2011-10-10 11:23:54 UTC
Comment on attachment 6866 [details]
git-am fix for 3.6.1

Looks, ok
Comment 4 Stefan Metzmacher 2011-10-10 11:24:21 UTC
Karolin, please pick for the release
Comment 5 Karolin Seeger 2011-10-11 18:04:23 UTC
Pushed to v3-6-test.
Closing out bug report.

Thanks!