Problem with default ACLs

Jeremy Allison jra at samba.org
Fri Oct 5 13:38:03 GMT 2001


On Mon, Oct 01, 2001 at 04:22:55PM +0200, Olaf Fr?czyk wrote:
> Hi,
> I found two problems with default ACLs. I use XFS filesystem, and Windows
> NT 4.0 Workstation SP 6a as the client. Samba: todays CVS.
> 1.
> create directory 'test_folder'
> and set ACL:
> test_folder [u:olaf:---,u:piotr:rwx,g::rwx,u::rwx,o::---,m::rwx/u:olaf:---,u:piotr:rwx,g::rwx,u::rwx,o::---,m::rwx]
> now, I go into the folder and create (in WinNT) a file "test.txt":
> the ACL it has are:
> test.txt [u:olaf:---,u:piotr:rwx,g::rw-,u::rwx,o::rw-,m::rwx]
> 
> So, user 'olaf' has no permissions, but 'other' has 'rw' permissions.
> 
> If I create e.g. "test2.txt" (touch test2.txt) in UNIX box then I have:
> test2.txt [u:olaf:---,u:piotr:rwx,g::rwx,u::rw-,o::---,m::rw-]
> 
> So both 'olaf' and 'other' have no permissions (and this is correct).
> 
> 2. In above example is one more ugly thing:
> the 'x' permission for files. As you see if the default ACL is "rwx", then
> a file which is created has:
> Using WinNT: "rwx" permissions
> Using UNIX: "rw" permissions (what, I think, is more expected).
> Yes, I know 'piotr' has 'rwx', but there is mask 'rw-', so the effective
> rights are 'rw-'.
> I now, that you want to keep mask "rwx" because it is simplier to deal with
> Windows permissions, but the bits masked out by mask should be cleared for
> other entries.

Ok, the issue here is what takes precedence. Under Windows,
it's perfectly possible to create a file and give *no* initial
security permissions, and have everything inherited from the
parent directory.

Fortunately, under UNIX, this is not the case. All create
calls *must* have an initial ugo permission set given. What
you're seeing is a conflict between the initial ugo permission
set that Samba assigns when creating a new file (this comes
from the unix_mode() function in smbd/dosmode.c) and the
default ACL on a directory.

The problem is when creating a file, given the standard
open_file_and_X call, the initial mode bits Samba assigns
are 744 (ie. rwxr--r--). In a directory with default ACLs
these permissions take precedence over the default ACL
permissions.

I could look at modifying this so that the default ACL
permissions are used as default when calculating the initial
create mode, but this probably won't get done for 2.2.2.

Thanks,

	Jeremy.




More information about the samba-technical mailing list