Problem with posix_acls.c/unpack_nt_owners

Jeremy Allison jra at samba.org
Wed Nov 28 11:32:02 GMT 2001 

On Wed, Nov 28, 2001 at 12:15:54PM +0100, Gerson Kurz wrote:
> Hi folks,
> 
> first post, please be gentle. In September 2001, Paul Herman posted this
> message:
> 
> http://groups.google.de/groups?q=unpack_nt_owners&hl=de&rnum=1&selm=9n8vbt%2
> 4181%241%40FreeBSD.csie.NCTU.edu.tw
> 
> I have checked the "samba-lastest.tar.gz" and the fix is not in there. Let
> me explain what the problem is from the windows side.
> 
> On Windows NT/2000, when you use the CreateFile() API you can specify the
> ACL for the file. If an application specifies NULL as ACL (as does the
> standard lib) the file is created with default access permissions. This
> works fine on Samba.
> 
> However, it is common practice on NT to create files with an ACL, for the
> following reason. If a file is created by one user, other users -if they are
> not administrators- cannot access the file. This is not always desirable.
> For example, a shared application wants to create files that can be accessed
> by all users. So, many NT-specific applications specify an ACL when doing
> CreateFile(). It is common to use an "ALL-ACCESS-FOR-EVERYONE" ACL, for two
> reasons, a) because that is what you want, and b) its the only simple thing
> to do with the braindead NT ACL API.
> 
> Note that, on Windows9x, you cannot use ACLs so many "windows" applications
> do NOT use ACLs because they were never designed for NT/2000 in the first
> place.
> 
> The problem is, that this CreateFile() will create the file, but then return
> INVALID_HANDLE_VALUE, because the ACL cannot be set. So, windows thinks the
> file has never been created even though it exists! It is not deleted after
> the failed ACL-settings, either. In the samba log, you can see the entry
> 
> [2001/11/28 11:20:49, 0] smbd/posix_acls.c:unpack_nt_owners(421)
>   unpack_nt_owners: no security info sent !
> 
> The problem is even more serious if you open the file for reading. On
> Windows, if you want to open a file for reading, you do a
> CreateFile(GENERIC_READ,OPEN_EXISTING). Again, you can specify an ACL, and
> if you don't, then everything works OK. But, if you specify an ACL the file
> cannot be opened! even though a normal open without ACL works! Note that
> Windows ignores the ACL if you open the file for reading (the CreateFile API
> documentation explicitly states this), so samba should probably, too.
> 
> I can send you a small program with source to test this behaviour, if anyone
> is interested. I'm trying to install a source version of samba (mine came
> preconfigured with Suse Linux) so as to check if the patch from Paul Herman
> works.

Yes, please send me the source code and .EXE file to test this.
I believe it is fixed in the current CVS trees, but I'd like to
confirm it.

Thanks,

	Jeremy.

More information about the samba-technical mailing list