2.0.4 and MSoffice: possible problem with nt acls

Jeremy Allison jallison at cthulhu.engr.sgi.com
Wed May 19 17:34:52 GMT 1999 

Andy Bakun wrote:
> 
> I upgraded to 2.0.4 last night.  Today people are having trouble using MS
> Word.  People goto save files and they get a dialog saying that the save is
> unable to complete because of permissions.  I suspect this may be related
> to 'nt acl support' being yes by default in 2.0.4, so I've disabled that
> temporarily.
> 
> Specificly, it appears that the word temp files (~xxxxNN.tmp) end up with
> NO PERMISSIONS at all -- that is ls reports all dashes in the permissions
> string.
> I am unable to reproduce this on my machine, but it's happened with at
> least 2 of my users, and in a share that doesn't have 'force create mode'
> settings.  I've had no reports of it happening in another extremely heavily
> used share that has create mode/mask settings.  I'll continue to
> investigate this.  Has anyone else noticed anything?

Ok I've found it.

The problem is that the NT exporer shell sends NT
GENERIC_xxx permissions bits only when setting access
on files. These are then mapped into file specific 
access permissions when received by the server (as
Samba does also).

The Word binary is sending ACLs containing permissions
already mapped into file specific access permissions
so Samba is fooled into thinking it has no permissions
to set.

Here's the patch against 2.0.4a. It works here, so
let me know if it's ok and I'll do 2.0.4b.

Jeremy.

-----------------cut here------------------------------
Index: smbd/nttrans.c
===================================================================
RCS file: /data/cvs/samba/source/smbd/nttrans.c,v
retrieving revision 1.59.2.35
diff -u -r1.59.2.35 nttrans.c
--- nttrans.c	1999/05/15 00:06:22	1.59.2.35
+++ nttrans.c	1999/05/19 17:31:30
@@ -1944,6 +1944,10 @@
  Map NT perms to UNIX.
 ****************************************************************************/
 
+#define FILE_SPECIFIC_READ_BITS
(FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
+#define FILE_SPECIFIC_WRITE_BITS
(FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
+#define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
+
 static mode_t map_nt_perms( SEC_ACCESS sec_access, int type)
 {
   mode_t mode = 0;
@@ -1953,27 +1957,27 @@
     if(sec_access.mask & GENERIC_ALL_ACCESS)
       mode = S_IRUSR|S_IWUSR|S_IXUSR;
     else {
-      mode |= (sec_access.mask & GENERIC_READ_ACCESS) ? S_IRUSR : 0;
-      mode |= (sec_access.mask & GENERIC_WRITE_ACCESS) ? S_IWUSR : 0;
-      mode |= (sec_access.mask & GENERIC_EXECUTE_ACCESS) ? S_IXUSR : 0;
+      mode |= (sec_access.mask & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS))
? S_IRUSR : 0;
+      mode |= (sec_access.mask &
(GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
+      mode |= (sec_access.mask &
(GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
     }
     break;
   case S_IRGRP:
     if(sec_access.mask & GENERIC_ALL_ACCESS)
       mode = S_IRGRP|S_IWGRP|S_IXGRP;
     else {
-      mode |= (sec_access.mask & GENERIC_READ_ACCESS) ? S_IRGRP : 0;
-      mode |= (sec_access.mask & GENERIC_WRITE_ACCESS) ? S_IWGRP : 0;
-      mode |= (sec_access.mask & GENERIC_EXECUTE_ACCESS) ? S_IXGRP : 0;
+      mode |= (sec_access.mask & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS))
? S_IRGRP : 0;
+      mode |= (sec_access.mask &
(GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
+      mode |= (sec_access.mask &
(GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
     }
     break;
   case S_IROTH:
     if(sec_access.mask & GENERIC_ALL_ACCESS)
       mode = S_IROTH|S_IWOTH|S_IXOTH;
     else {
-      mode |= (sec_access.mask & GENERIC_READ_ACCESS) ? S_IROTH : 0;
-      mode |= (sec_access.mask & GENERIC_WRITE_ACCESS) ? S_IWOTH : 0;
-      mode |= (sec_access.mask & GENERIC_EXECUTE_ACCESS) ? S_IXOTH : 0;
+      mode |= (sec_access.mask & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS))
? S_IROTH : 0;
+      mode |= (sec_access.mask &
(GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
+      mode |= (sec_access.mask &
(GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
     }
     break;
   }
@@ -2085,7 +2089,7 @@
      */
 
     psa->info.mask &=
(GENERIC_ALL_ACCESS|GENERIC_EXECUTE_ACCESS|GENERIC_WRITE_ACCESS|
-                     GENERIC_READ_ACCESS|UNIX_ACCESS_NONE);
+                     GENERIC_READ_ACCESS|UNIX_ACCESS_NONE|FILE_ALL_ATTRIBUTES);
 
     if(psa->info.mask != UNIX_ACCESS_NONE)
       psa->info.mask &= ~UNIX_ACCESS_NONE;
-----------------end cut-------------------------------

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------

More information about the samba-technical mailing list