Bug 8672 - NT ACL inheritance issue
NT ACL inheritance issue
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts
3.6.1
All All
: P5 normal
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-12-20 01:04 UTC by srikumar
Modified: 2011-12-22 04:26 UTC (History)
2 users (show)

See Also:


Attachments
script to reproduce NT ACL append permission issue (1.73 KB, application/octet-stream)
2011-12-22 04:25 UTC, srikumar
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description srikumar 2011-12-20 01:04:12 UTC
Description:

Unlike NT, samba denies the permission if parent has deny but local ACL allow. In Windows Server, local ACL overrides parent ACL. Only if local ACL does not have a matching ACE, its parent (and then grandparent) ACLs are consulted.


Example:

dir1 has user1 write/append deny
file1 inside dir1 has user1 with full access.

In this case, user1 could not append to file1 though it has a local ACE with full access.
Comment 1 Jeremy Allison 2011-12-20 21:55:42 UTC
Ok - this one I have to see how you are reproducing.

For file access in Samba we *never* look at directory permissions. Just isn't done.

Please describe the full test you are doing in order to reproduce this.

Jeremy.
Comment 2 srikumar 2011-12-21 02:01:48 UTC
(In reply to comment #1)

Setup:
1) 'luser1' login to samba CIFS share (with NT ACL support) and mapped to n: 
2) n: has everyone full access ALLOWed
3) 'luser1' creates 'dir1' inside n:
4) 'luser1' sets 'dir1' with "luser2 write/delete/takeowner DENY and list/traverse/read_acl' ALLOW"
5) 'luser1' creates a file 'test.txt' under 'dir1' 
6) 'luser1' sets 'test.txt' with "luser2 write/append ALLOW"

7) Now login to the same share as 'luser2'
8) Try to append data to test.txt but the access is denied

--------------------------------------------------------
ACE details for 'test.txt':

C:\>setacl -on n:\dir1\test.txt -ot file -actn list -lst "f:tab;w:d,o,g;i:y" \\?\n:\dir1\test.txt

Owner: FC16\luser1
Group: FC16\None

DACL(not_protected+auto_inherited):
FC16\luser2 FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY allow             no_inheritance
FC16\luser2 write+FILE_DELETE_CHILD+WRITE_OWNER+WRITE_DAC+DELETE deny inherited
FC16\luser2 FILE_LIST_DIRECTORY+FILE_TRAVERSE+FILE_READ_ATTRIBUTES+READ_CONTROL   allow   inherited
Everyone   full   allow   inherited

SetACL finished successfully.

C:\>echo "hello world" >> n:\dir1\test.txt
Access is denied.
-------------------------------------------------------



> Ok - this one I have to see how you are reproducing.
> 
> For file access in Samba we *never* look at directory permissions. Just isn't
> done.
> 
> Please describe the full test you are doing in order to reproduce this.
> 
> Jeremy.
Comment 3 Jeremy Allison 2011-12-21 21:06:41 UTC
I can't help noticing that test.txt doesn't have FILE_WRITE_ATTRIBUTES set. Can you try setting that and seeing if the open for append succeeds ?

In the meantime I'm trying to reproduce.

Jeremy.
Comment 4 Jeremy Allison 2011-12-21 22:27:46 UTC
Can you give me the setacl.exe command line you used to set the ACL on dir1 and test.txt please ? I'm having trouble reproducing the setup you have here.

Jeremy.
Comment 5 srikumar 2011-12-22 04:23:40 UTC
(In reply to comment #3)
Please note that the file has
"FC16\luser2 FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY allow"
FILE_ADD_FILE => for file object it is 'write data'
FILE_ADD_SUBDIRECTORY => for file object it is 'append data'

Even if I give full permission to that file, append fails.
Comment 6 srikumar 2011-12-22 04:25:58 UTC
Created attachment 7213 [details]
script to reproduce NT ACL append permission issue
Comment 7 srikumar 2011-12-22 04:26:39 UTC
Please download setACL.exe from http://sourceforge.net/projects/setacl/files/