[Samba] SaMBa 4.16.4 adds users to ACLs as groups

Rowland Penny rpenny at samba.org
Wed Jun 7 16:56:09 UTC 2023 


On 07/06/2023 17:44, Tamás Németh via samba wrote:
> Dear All,
> 
>   Thank you for your help (especially Rowland Penny), I finally managed to
> migrate our ancient ext3 based, ISO-8859-2 encoded SaMBa 3.2.5 with locally
> stored UIDs and GIDs to a UTF-8 encoded ex4 based server running SaMBa
> 4.16.4 with RID UID/GID backend.
> 
>   However, after two weeks of the migration I observed something horrible:
> Windows Word (or MS Office in general) somehow manages to chown every saved
> file to the acting user, putting the original owner to a POSIX ACL. It
> means that slowly every user ever editing that document will be accumulated
> in its POSIX ACL. Not only MS Office, but the gvfsd-fuse backend of KDE
> does some horror: It also manages to chown a file it has write access to
> only via the "other (users)" POSIX bits, but the instead of adding users to
> the POSIX ACL, it removes the access from the "other (users)" bits.
> 
>   OK, let's assume it's not a bug, but a feature (
> https://superuser.com/questions/1491076/disable-word-from-creating-acls-on-samba-fileshare
> or
> https://superuser.com/questions/289866/how-do-i-avoid-changing-a-files-linux-permissions-when-saving-over-a-samba-conn
> ). But if so, what is the recommended solution to prevent SaMBa from
> letting programs - intended only to write the content of files - change
> permissions in addition? Shoud I really simply disable "nt acl support"?
> 
> 
>   But even when considering this a feature, the newer SaMBa (4.16.4) does
> something, I can only consider being a bug: It needlessly adds the owning
> group to the POSIX ACL upon saving by MS Word, and additionally it adds
> users (except the acting user) to the POSIX ACL as GROUPS!!! It means there
> are NONEXISTENT groups added to the POSIX ACL which have the same GIDs as
> the UIDs of the users in the ACL:
> 
> # file: file.docx
> # owner: user_1
> # group: domain\040users
> user::rw-
> user:domain\040users:rw-
> user:user_2:rw-
> user:user_1:rw-
> group::rw-
> group:domain\040users:rw-  #This is unnecessary, since it equals the owning
> group. SaMBa 3.2.5 doesn't add this.
> group:user_2:rw- #This is not only unnecessary, but also nonexistent. This
> is a UID not a GID!
> mask::rwx
> other::rw-
> 
>   I also observed that UIDs are erroneously added as groups to the POSIX ACL
> by SaMBa 4.16.4 when manually adding users to the NT ACL with file explorer
> (by editing permissions), not only by saving with MS Word. I assume this
> means that Word only wants to add UIDs to the ACL but because of some bug,
> SaMBa 4.16.4 duplicates every UID as GID (except the acting user's) when
> adding it to a POSIX ACL. Do you consider it a bug, and if so, is it
> already known, or unknown? Is there any fix or workaround?
> 
> Thank you for your answer,
> 
> NÉMETH, Tamás

I suggest you read 'man vfs_acl_xattr'

Rowland

More information about the samba mailing list