The bugfix for bug https://bugzilla.samba.org/show_bug.cgi?id=7909 unconditionally adds the SYNCHRONIZE flag to an ace mask. This should only be done for ALLOW ace entries, not for DENY entries. Reported by Youzhong Yang, fix to follow. Jeremy.
Consider the following directory NFSv4 ACL: drwxrwxrwx 2 XXX XXX 13 Aug 31 09:52 filename 0:owner@::deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 2:group@::deny 3:group@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/execute:allow 4:everyone@:write_xattr/write_attributes/write_acl/write_owner:deny 5:everyone@:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow When we process the owner@::deny and group@::deny entries we add in the SMB_ACE4_SYNCHRONIZE bit to the mask, which we should not do.
Created attachment 6866 [details] git-am fix for 3.6.1 Fairly simple couple of patches to fix this. Jeremy.
Comment on attachment 6866 [details] git-am fix for 3.6.1 Looks, ok
Karolin, please pick for the release
Pushed to v3-6-test. Closing out bug report. Thanks!