ACL's and samba 2.2

Jeremy Allison jeremy at
Sat Apr 21 20:24:38 GMT 2001

On Sat, Apr 21, 2001 at 10:18:30PM +0200, Juergen Hasch wrote:
> I traced this problem down to open_file() in smbd/open.c:
> 	string_set(&fsp->fsp_name,fname);
> 	fsp->wbmpx_ptr = NULL;      
> 	fsp->wcp = NULL; /* Write cache pointer. */
> 	DEBUG(2,("%s opened file %s read=%s write=%s (numopen=%d)\n",
> 		 *current_user_info.smb_name ? current_user_info.smb_name :
> conn->user,fsp->fsp_name,
> 		 BOOLSTR(fsp->can_read), BOOLSTR(fsp->can_write),
> 		 conn->num_files_open + 1)); 
> 	/*
> 	 * Take care of inherited ACLs on created files. JRA.
> 	 */
> 	if ((flags & O_CREAT) && (conn->vfs_ops.fchmod_acl != NULL)) {
> 		int saved_errno = errno; /* We might get ENOSYS in the next call.. */
> X		if (conn->vfs_ops.fchmod_acl(fsp, fsp->fd, mode) == -1 && errno ==
> X			errno = saved_errno;  /* Ignore ENOSYS */
> 	}
> If I remove the "X" marked lines, the problems go away. Maybe Jeremy can
> give some insight,
> in what may go wrong here.

I'm doing the fchmod_acl as doing a O_CREAT will create
a file and set the ACL mask to something other than rwx.

Samba works hard to set the ACL entries to be exactly
what is required for access - and having an ACL mask of anything
than rwx will screw that up. Normally, the kernel recalculates
the mask depending on the group permissions when a file is
created. So what I do is create the file, then go back and
re-write the group permissions to be what I wanted in the mode_t
of the open, and set the ACL mask back to rwx. This has the same
effect as doing the open without it on system security, but leaves
the mask in the correct state for Samba.

That's what the fchmod_acl() call is for.


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list