Acl funny's with samba 2.2.1 cvs

Gerald Carter gcarter at valinux.com
Thu Jul 5 13:52:02 GMT 2001


On Thu, 5 Jul 2001, Ries van Twisk wrote:

> Hi,
>
> here are my ACL funnys again. I just installed a new Debian test
> system with a 2.4.5 Kernel with the ea and acl patches. I still have
> problems with ACL even with the 2.2.1 cvs version grabbed this morning
> (8:30 GMT 5 july).
>
> Here are the results again:
>
> system.
> Samba : 2.2.1 from cvs
> Kernel version: 2.4.5
> ACL patch 0.7.14
> EA patch 0.7.14
>
>
> I have a dir with a ACL default permision like this:
> # file: home/office/quotes/FI-DH-1407-01
> # owner: root
> # group: quotes
> user::rwx
> group::rwx
> group:adminquotes:rwx
> mask:rwx
> other:---
> default:user::rwx
> default:group::r--
> default:group:adminquotes:rwx
> default:mask:rwx
> default:other:---
>
>
> When I open Notepad and create a EMPTY file in the subdirectory the
> permissions are set like this:
> # file: home/office/quotes/FI-DH-1407-01/empty.txt
> # owner: ries
> # group: quotes
> user::rw-
> group::r--
> group:adminquotes:rwx
> mask:rwx
> other:---
>
> This is correct because my 'create mask' set set to 0640 in that share so the
> above is expected on this directory. Also I don't have the 'inherit permissions'
> on (unless it's on by default). Also no sticky bit is set on this directory.
>
>
> When I open Notepad and create a file with some data (!=0 bytes) in the
> subdirectory the permissions are set like this:
> # file: home/office/quotes/FI-DH-1407-01/Full.txt
> # owner: ries
> # group: quotes
> user::rw-
> group::rwx
> group:adminquotes:rwx
> mask:rwx
> other:---
>
> Funny the group right are now set to rwx!!!
>
> I did some experiments directly on the console and everything was ok,
> it seems to me something I overlooked or a bug in the samba ACL code?
> I'll try to check the ACL code but I have never looked at the samba
> code so it may take some time. Anybody has pointers/Hints on doing
> this?

Look in lib/sysacls.c at the code included in the
#ifdef (HAVE_POSIX_ACLS) section.  It would also be a good
idea to look at a level 10 debug log (with debug timestemp = no)
to review any set_security_descriptor() calls the client is
making.









cheers, jerry
 ---------------------------------------------------------------------
 http://www.valinux.com/     VA Linux Systems      gcarter at valinux.com
 http://www.samba.org/          SAMBA Team             jerry at samba.org
 http://www.plainjoe.org/                           jerry at plainjoe.org
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--





More information about the samba-technical mailing list