Bug 8443 - Default user entry is set to minimal permissions on incoming ACL change with no user specified.
Default user entry is set to minimal permissions on incoming ACL change with ...
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: File services
3.6.0
All All
: P5 regression
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks: 8399
  Show dependency treegraph
 
Reported: 2011-09-08 00:48 UTC by Jeremy Allison
Modified: 2011-10-08 18:06 UTC (History)
3 users (show)

See Also:


Attachments
git-am fix for 3.5.x (5.70 KB, patch)
2011-09-08 22:26 UTC, Jeremy Allison
metze: review+
obnox: review+
Details
git-am fix for 3.6.1 (6.05 KB, patch)
2011-09-08 22:32 UTC, Jeremy Allison
metze: review+
obnox: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2011-09-08 00:48:06 UTC
This is a policy change, but I believe it's the right thing to do.

If we get an incoming Windows ACL that does not include an explicit entry for the owning user, we have to generate one for the underlying POSIX ACL (required).

Currently we make this a minimal mapping of r-- for the owner if it's a file, but rwx if it's a directory.

This causes problems for OEMs when owning users can no longer access the file even when the owner of the file is a member of one of the other groups being given access (POSIX ACLs don't merge rights).

I'd like to change this so that the existing owner permissions are left alone on the file if we get an incoming ACL that doesn't include an owner permission.

Patch to follow.

Jeremy.
Comment 1 Jeremy Allison 2011-09-08 22:26:17 UTC
Created attachment 6871 [details]
git-am fix for 3.5.x
Comment 2 Jeremy Allison 2011-09-08 22:32:24 UTC
Created attachment 6872 [details]
git-am fix for 3.6.1

Code that has gone into master...
Comment 3 Jeremy Allison 2011-09-08 22:32:39 UTC
Confirmed this fixes the issue by OEM.
Comment 4 Jeremy Allison 2011-09-29 15:36:10 UTC
Comment on attachment 6872 [details]
git-am fix for 3.6.1

Adding Michael Adams as he may have more time to review.
Comment 5 Jeremy Allison 2011-09-29 15:36:29 UTC
Comment on attachment 6871 [details]
git-am fix for 3.5.x

Adding Michael Adams as he may have more time to review.
Comment 6 Jeremy Allison 2011-10-03 21:24:40 UTC
Comment on attachment 6871 [details]
git-am fix for 3.5.x

vl is out. Changing to metze for revew.
Comment 7 Jeremy Allison 2011-10-03 21:24:53 UTC
Comment on attachment 6872 [details]
git-am fix for 3.6.1

vl is out. Changing to metze for revew.
Comment 8 Jeremy Allison 2011-10-03 21:25:22 UTC
Changing to blocker. I *really* need this reviewed and in for 3.5.next and 3.6.1.

Jeremy.
Comment 9 Stefan Metzmacher 2011-10-05 09:05:38 UTC
Comment on attachment 6871 [details]
git-am fix for 3.5.x

Looks ok
Comment 10 Michael Adam 2011-10-05 09:06:06 UTC
Comment on attachment 6872 [details]
git-am fix for 3.6.1

This looks reasonable. I am ok with the policy change. This has bitten us now and then.
Comment 11 Michael Adam 2011-10-05 09:06:38 UTC
Comment on attachment 6871 [details]
git-am fix for 3.5.x

ok also for 3.5
Comment 12 Stefan Metzmacher 2011-10-05 09:06:55 UTC
Comment on attachment 6872 [details]
git-am fix for 3.6.1

Looks ok
Comment 13 Stefan Metzmacher 2011-10-05 09:07:59 UTC
Karolin, please pick for the releases
Comment 14 Karolin Seeger 2011-10-08 18:06:11 UTC
Pushed to v3-5-test and v3-6-test.
Closing out bug report.

Thanks!