Description: Unlike NT, samba denies the permission if parent has deny but local ACL allow. In Windows Server, local ACL overrides parent ACL. Only if local ACL does not have a matching ACE, its parent (and then grandparent) ACLs are consulted. Example: dir1 has user1 write/append deny file1 inside dir1 has user1 with full access. In this case, user1 could not append to file1 though it has a local ACE with full access.
Ok - this one I have to see how you are reproducing. For file access in Samba we *never* look at directory permissions. Just isn't done. Please describe the full test you are doing in order to reproduce this. Jeremy.
(In reply to comment #1) Setup: 1) 'luser1' login to samba CIFS share (with NT ACL support) and mapped to n: 2) n: has everyone full access ALLOWed 3) 'luser1' creates 'dir1' inside n: 4) 'luser1' sets 'dir1' with "luser2 write/delete/takeowner DENY and list/traverse/read_acl' ALLOW" 5) 'luser1' creates a file 'test.txt' under 'dir1' 6) 'luser1' sets 'test.txt' with "luser2 write/append ALLOW" 7) Now login to the same share as 'luser2' 8) Try to append data to test.txt but the access is denied -------------------------------------------------------- ACE details for 'test.txt': C:\>setacl -on n:\dir1\test.txt -ot file -actn list -lst "f:tab;w:d,o,g;i:y" \\?\n:\dir1\test.txt Owner: FC16\luser1 Group: FC16\None DACL(not_protected+auto_inherited): FC16\luser2 FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY allow no_inheritance FC16\luser2 write+FILE_DELETE_CHILD+WRITE_OWNER+WRITE_DAC+DELETE deny inherited FC16\luser2 FILE_LIST_DIRECTORY+FILE_TRAVERSE+FILE_READ_ATTRIBUTES+READ_CONTROL allow inherited Everyone full allow inherited SetACL finished successfully. C:\>echo "hello world" >> n:\dir1\test.txt Access is denied. ------------------------------------------------------- > Ok - this one I have to see how you are reproducing. > > For file access in Samba we *never* look at directory permissions. Just isn't > done. > > Please describe the full test you are doing in order to reproduce this. > > Jeremy.
I can't help noticing that test.txt doesn't have FILE_WRITE_ATTRIBUTES set. Can you try setting that and seeing if the open for append succeeds ? In the meantime I'm trying to reproduce. Jeremy.
Can you give me the setacl.exe command line you used to set the ACL on dir1 and test.txt please ? I'm having trouble reproducing the setup you have here. Jeremy.
(In reply to comment #3) Please note that the file has "FC16\luser2 FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY allow" FILE_ADD_FILE => for file object it is 'write data' FILE_ADD_SUBDIRECTORY => for file object it is 'append data' Even if I give full permission to that file, append fails.
Created attachment 7213 [details] script to reproduce NT ACL append permission issue
Please download setACL.exe from http://sourceforge.net/projects/setacl/files/
The reproducer will also fail on a Windows system. The "append data" right applies to open with the FILE_APPEND_DATA flag. "echo foo >> test.txt" is not doing such an open. I would like to close this bug - but I didn't have a chance to check that it works correctly with a proper FILE_APPEND_DATA open ...