Problems with ACLs in 2.2.8
Michael Steffens
michael.steffens at hp.com
Tue Apr 1 12:54:27 GMT 2003
Hello Buck,
Buck Huppmann wrote:
> i'm also seeing some aberrant ACL-setting behavior in samba 2.2.8. more-
> over, the new Creator Owner and Creator Group semantics are bewildering,
> although i can understand if, in that sense, they're just mimicking NT
> behavior all the more closely. at any rate, below's a patch that purports
> to do the following:
>
> 1. the hunk for util_sid.c make the Creator Owner and Creator Group
> icons show up appropriately in my NT-permissions-chooser thingy
>
> 2. the first three hunks for posix_acls.c allows one to drop entries from
> an ACL without having samba re-insert the ``missing'' ACEs behind the
> scenes with the share-default perms. this may or may not address your
> concern
From my understanding Samba has no other choice than inserting missing
object ACEs, because it's impossible to set a POSIX ACL without. The
crucial point not being whether, but what to insert. What does the
client intend when sending an ACL without object entries?
The purpose of the modification in the new ACL code was to cope with
W2k clients attempting to copy ACL from one file to another, as office
apps are doing when storing into temporary files. Without preserving
existing object ACEs the user who has just stored ends up without
write permissions, if write access to the original file was only
via a supplementary group.
> 3. the fourth hunk excepts Creator Owner and Creator Group from being
> dropped from the incoming ACL as ``non-mappable SIDs''
I'm not sure what it actually implies, but sounds promising. Hoping that
this modication could get our missing ACEs "preserved" (i.e. assuming they do
get transmitted but were filtered out) I tried your modifications from
2. and 3.
Bad luck. Still breaks W2k clients copying ACLs to temp files.
How do we want to cope with it?
Cheers!
Michael
>
> 4. the fifth hunk corrects for the fact that--according to the ``-s''
> option description from the setfacl(1) man page of Solaris 2.6, anyway--
> Solaris needs a default ``CLASS_OBJ'' entry if it has any other default
> ACL entries
>
> 5. the sixth hunk makes use of the mask_perms mode that set_canon_ace_list()
> munges all the way through but then does nothing with. this isn't required
> for correct functionality, though, i don't think
>
> 6. the seventh hunk (in NT4-compatible mode) abridges the code to elide
> the non-default ACL entry for the group owner if the group owner has no
> permissions, since i thought this might allay confusion, as indicated by
> the CPP macro name used there. again, this isn't required for correct
> functionality
>
> none of these are meant to be applied to anybody's samba source tree; i'm
> just trying to point out some areas that may need attention
>
> i think, however, for my purposes, i'm just going to drop in the old 2.2.7
> posix_acls.c, since i find named ACEs with non-bogus perms in both parenthe-
> sized slots in the NT-permissions-thingy display much less confusing, if a
> bit misleading
>
> --buck
>
> On Tue, Mar 25, 2003 at 01:39:22AM +0000, Jan Houstek wrote:
>
>>Hi all!
>>
>>I posted this in samba at lists.samba.org but there were no reactions.
>>Particulary I'm interested if anyone observe the same behavior.
>>
>>-- Honza Houstek
>>
>>--------------------------------------------------------------
>>
>>server:
>> linux 2.4.19 with xfs 1.2 and its ACL
>> libacl 2.0.19
>> samba 2.2.8 compiled from source with --with-acl-support
>> acting as PDC
>> interesting parts of smb.conf
>> create mask = 0600
>> directory mask = 0700
>> [testshare]
>> path = /data/testshare
>> readonly = No
>>client:
>> 1) Windows XP, servicepack 1.2a
>> 2) smbmount from another linux box
>>
>>server:~# getfacl /data/testshare/testdir
>># file: testdir
>># owner: testuser
>># group: users
>>user::rwx
>>group::---
>>group:somegroup:r-x
>>group:anothergroup:rwx
>>mask::rwx
>>other::---
>>default:user::rwx
>>default:group::---
>>default:group:somegroup:r-x
>>default:group:anothergroup:rwx
>>default:mask::rwx
>>default:other::---
>>
>>server:~# umask 007
>>server:~# mkdir /data/testshare/testdir/test1
>>server:~# getfacl /data/testshare/testdir/test1
>># file: test1
>># owner: root
>># group: root
>>user::rwx
>>group::---
>>group:somegroup:r-x
>>group:anothergroup:rwx
>>mask::rwx
>>other::---
>>default:user::rwx
>>default:group::---
>>default:group:somegroup:r-x
>>default:group:anothergroup:rwx
>>default:mask::rwx
>>default:other::---
>>
>>On windows:
>> logon to domain as testuser
>> create test2 in testdir (right mouse button -> New -> Folder)
>>
>>server:~# getfacl /data/testshare/testdir/test2
>># file: test2
>># owner: testuser
>># group: users
>>user::rwx
>>group::rwx # !!! problem !!!
>>group:somegroup:r-x
>>group:anothergroup:rwx
>>mask::rwx
>>other::---
>>default:user::rwx
>>default:group::---
>>default:group:somegroup:r-x
>>default:group:anothergroup:rwx
>>default:mask::rwx
>>default:other::---
>
>
> --- samba-2.2.8/source/lib/util_sid.c.orig Fri Mar 14 16:34:47 2003
> +++ samba-2.2.8/source/lib/util_sid.c Mon Mar 31 07:50:10 2003
> @@ -64,7 +64,8 @@
> {0, (enum SID_NAME_USE)0, NULL}};
>
> static known_sid_users creator_owner_users[] = {
> - { 0, SID_NAME_ALIAS, "Creator Owner" },
> + { 0, SID_NAME_WKN_GRP, "Creator Owner" },
> + { 1, SID_NAME_WKN_GRP, "Creator Group" },
> {0, (enum SID_NAME_USE)0, NULL}};
>
> static known_sid_users nt_authority_users[] = {
> --- samba-2.2.8/source/smbd/posix_acls.c.orig Fri Mar 14 16:34:49 2003
> +++ samba-2.2.8/source/smbd/posix_acls.c Mon Mar 31 09:10:10 2003
> @@ -653,6 +653,7 @@
> * we would get mask instead of group. Let's do it via ACL.
> */
>
> +#if RETAIN_ACE_IF_MISSING_FROM_INCOMING_ACL
> if (setting_acl && (!got_user || !got_grp || !got_other)) {
>
> SMB_ACL_ENTRY_T entry;
> @@ -701,6 +702,7 @@
> fsp->fsp_name));
> }
> }
> +#endif /* RETAIN_ACE_IF_MISSING_FROM_INCOMING_ACL */
>
> if (!got_user) {
> if ((pace = (canon_ace *)malloc(sizeof(canon_ace))) == NULL) {
> @@ -757,7 +759,11 @@
> if (got_other)
> pace->perms = pace_other->perms;
> else
> +#if GROUP_SHOULDNT_DEFAULT_TO_0_LIKE_USER_AND_OTHER
> pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
> +#else /* GROUP_SHOULDNT_DEFAULT_TO_0_LIKE_USER_AND_OTHER */
> + pace->perms = 0;
> +#endif /* GROUP_SHOULDNT_DEFAULT_TO_0_LIKE_USER_AND_OTHER */
> }
> apply_default_perms(fsp, pace, S_IRGRP);
> } else {
> @@ -945,7 +951,9 @@
> * Ignore non-mappable SIDs (NT Authority, BUILTIN etc).
> */
>
> - if (non_mappable_sid(&psa->trustee)) {
> + if (non_mappable_sid(&psa->trustee) &&
> + !sid_equal(&psa->trustee, &global_sid_Creator_Owner) &&
> + !sid_equal(&psa->trustee, &global_sid_Creator_Group)) {
> fstring str;
> DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
> sid_to_string(str, &psa->trustee) ));
> @@ -1820,6 +1828,8 @@
> #if defined(POSIX_ACL_NEEDS_MASK)
> /* HP-UX always wants to have a mask (called "class" there). */
> needs_mask = True;
> +#else if defined(SOLARIS_ACLS)
> + needs_mask = default_ace ? True : False;
> #endif
>
> if (the_acl == NULL) {
> @@ -1956,7 +1966,7 @@
> goto done;
> }
>
> - if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
> + if (map_acl_perms_to_permset(conn, mask_perms, &mask_permset) == -1) {
> DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
> goto done;
> }
> @@ -2350,11 +2360,13 @@
> }
> #endif
>
> +#if HIDE_0_PERM_CREATOR_GROUP_FILE_ACE_THOUGH_USERS_MAY_KEEP_RESETTING_DIR_ACE_IN_VAIN_EVEN_NOT_KNOWING_WHO_CREATOR_GROUP_IS
> ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
> if (ace && !ace->perms) {
> DLIST_REMOVE(file_ace, ace);
> SAFE_FREE(ace);
> }
> +#endif /* HIDE_0_PERM_CREATOR_GROUP_FILE_ACE_THOUGH_USERS_MAY_KEEP_RESETTING_DIR_ACE_IN_VAIN_EVEN_NOT_KNOWING_WHO_CREATOR_GROUP_IS */
> } else {
>
> ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
More information about the samba-technical
mailing list