Problem with default ACLs

Fri Oct 5 13:50:04 GMT 2001

On Fri, Oct 05, 2001 at 01:37:18PM -0700, Jeremy Allison wrote:
> On Mon, Oct 01, 2001 at 04:22:55PM +0200, Olaf Fr?czyk wrote:
> > Hi,
> > I found two problems with default ACLs. I use XFS filesystem, and Windows
> > NT 4.0 Workstation SP 6a as the client. Samba: todays CVS.
> > 1.
> > create directory 'test_folder'
> > and set ACL:
> > test_folder [u:olaf:---,u:piotr:rwx,g::rwx,u::rwx,o::---,m::rwx/u:olaf:---,u:piotr:rwx,g::rwx,u::rwx,o::---,m::rwx]
> > now, I go into the folder and create (in WinNT) a file "test.txt":
> > the ACL it has are:
> > test.txt [u:olaf:---,u:piotr:rwx,g::rw-,u::rwx,o::rw-,m::rwx]
> > 
> > So, user 'olaf' has no permissions, but 'other' has 'rw' permissions.
> > 
> > If I create e.g. "test2.txt" (touch test2.txt) in UNIX box then I have:
> > test2.txt [u:olaf:---,u:piotr:rwx,g::rwx,u::rw-,o::---,m::rw-]
> > 
> > So both 'olaf' and 'other' have no permissions (and this is correct).
> > 
> > 2. In above example is one more ugly thing:
> > the 'x' permission for files. As you see if the default ACL is "rwx", then
> > a file which is created has:
> > Using WinNT: "rwx" permissions
> > Using UNIX: "rw" permissions (what, I think, is more expected).
> > Yes, I know 'piotr' has 'rwx', but there is mask 'rw-', so the effective
> > rights are 'rw-'.
> > I now, that you want to keep mask "rwx" because it is simplier to deal with
> > Windows permissions, but the bits masked out by mask should be cleared for
> > other entries.
> 
> Ok, the issue here is what takes precedence. Under Windows,
> it's perfectly possible to create a file and give *no* initial
> security permissions, and have everything inherited from the
> parent directory.
> 
> Fortunately, under UNIX, this is not the case. All create
> calls *must* have an initial ugo permission set given. What
> you're seeing is a conflict between the initial ugo permission
> set that Samba assigns when creating a new file (this comes
> from the unix_mode() function in smbd/dosmode.c) and the
> default ACL on a directory.
> 
> The problem is when creating a file, given the standard
> open_file_and_X call, the initial mode bits Samba assigns
> are 744 (ie. rwxr--r--). In a directory with default ACLs
> these permissions take precedence over the default ACL
> permissions.
> 
> I could look at modifying this so that the default ACL
> permissions are used as default when calculating the initial
> create mode, but this probably won't get done for 2.2.2.

Ok - you can get the effect you need under 2.2.2 by adding
the parameter "inherit permissions = Yes" to the share in
question. This causes the initial mode_t to be inherited
from the parent directory, which is essentially what you
want.

In order to do this on the fly, we need a fast way to tell
if a directory has a default ACL set upon it, in which case
we treat create modes as though the "inherit permissions"
parameter were set. Hmmmmmm.

Jeremy.