POSIX ACL to NT ACL bugs in get_nt_acl()

Sergey Zhitomirsky szh at 7ka.mipt.ru
Fri Mar 7 15:06:40 GMT 2003 

Hello , the described bellow  happens both in samba 2.2.7a and 3.0-alfa22. ( --with-acl-support)

First bug:
As it is easy to check  smbd , when asked about ACL entry of a file
never sends to the client OS   DENY Access Control Entries , only ALLOW.

so for example for a XFS file with acl: 

 # owner: a
 user::r--
 group::rwx
 other::rwx
 
  Win2K security tab  shows for user "a": 
   Read & exec = <nothing here>
   Read        = Allowed
   Write       = <nothing here>

 But in fact, POSIX ACL will allow user "a" to read from the file
 and deny write or execute the file , as posix acl will not consult any
 other ACL entries, after founding  appropriate  user::  entry. 

 Not lets see , what Win2K user will expect, when watching this shown ACL.  
 As NT ACL logic suppose,  in case <nothing here>
  father ACL entries will be consulted, so in this case  NT user suppose
  that he has "rwx" rights on the file  due to  other::rwx rule , 
  shown in Win2K security tab as   Everybody: Full Access=Allowed

  but when tried to write - receive Permission Denied. 
  So this situation is plain wrong
  sent to Win2K  flags must have been instead : 
   Read & exec = Deny
   Read        = Allowed
   Write       = Deny

  So that is a samba bug, as samba must have send DENY for "write" and
  "execute" and ALLOW for "read"   for this user's file ("user::r--")  ,
  but now it just sends ALLOW for "read".


Second bug:
Take ownership flag is curerntly always  set ALLOWED for EVERY ACE
but actually only root user  can take ownership of the file under Unix,
so this is plain wrong.
As far as I see, this bug was introduced  because of the first bug AND
NT4 denying to show empty ACL.

Third Bug:
In POSIX  every user which can see a file , can also always
   1) Read ACL for the file
   2) Read attributes for the file.
so  SMBD should always show that these things are allowed , but it failes to 
do that.
Of course  due to the FIRST BUG  this is not very annoying, as there are no
entries showed, that this is forbidden.


In the next e-mail I will send patches fixing all 3 bugs  in samba 2.2.7a & 
3.0 alfa 22


--
Zhitomirsky Sergey.

More information about the samba-technical mailing list