[linux-cifs-client] patch to modify how ACEs are set for a chmod command

simo idra at samba.org
Wed Jan 30 21:22:12 GMT 2008


On Wed, 2008-01-30 at 12:35 -0600, Shirish Pargaonkar wrote:
> Change the behaviour on what ACL is sent for a chmod command.
> Instead of sending just three ACE, one for owner, one for group, and
> one for everyone thus destroying any aces that existed on the object
> on the server, this patch will now send those three aces and any
> aces that existed as it is.

Shirish,
this is delicate matter, the problem is that changing semantics may have
an impact on security.

In POSIX the group permissions are aliased to a mask when POSIX ACLs are
present. This means that if you do a chmod 600 myfile, even with posix
ACLs the only one that will be allowed to access the file will be the
user, no matter how many other users or groups are listed in the ACL.

With your patch this does not hold true anymore, anyone with explicit
access in the NT ACL will keep permission to access the file, only the
user's primary group members and anyone else will be denied access.

This is probably not what the user meant by setting the file to 600,
usually what is meant is that the final result will be that only the
user will have access.

Now, getting an ACE list which represent this is definitely tricky and I
guess that is why the current code simply wipes out the ACL completely
and replaces it.

A more sensible way would probably be to set the group bits for the
primary group if no other ACEs are present, and instead to "mask" all
other ACEs with the group bits if entries other than user/group/everyone
are present. The downside of masking is that this would have a tattoo
effect you do  not have with POSIX ACLs.

Another (more difficult and dangerous) way would be to use DENY ACEs to
reverse a lack of access granted by the mask, but it would then get even
trickier to understand if an existing DENY ACE was there because of a
"mask" operation or was there before and should be preserved when, later
on, someone decides to chmod 660 again.

Tough call.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>



More information about the linux-cifs-client mailing list