HP-UX ACL code for modularized ACL-implemetation

McCall, Don (GSE-WTEC-Alpharetta) don.mccall at hp.com
Fri Apr 6 13:26:06 GMT 2007


Hi Michael;
I'll send you the logs in a private email, so as not to clog up samba-technical, but I have done a few tests:
Samba 3.0.25pre2 in user level security:

1. created directory acltest
2. created file acltest/acltest.doc
3. using WindowsXP SP2, right clicked on acltest dir, properties/security, advanced/find, chose user 'test'.
4. applied 'full control' ace for user 'test' on directory acltest, and applied.  This worked.
5. same procedure, but this time applied 'read' ace for user 'test' on file acltest/acltest.doc.  This also worked.  You can see the level 10 debug logs in the file log.acltestDIR-File that I will send separately.

6. Attempted to change the ace for the owning group of the file: (Unix Group/users) to read only.  Highlighted the UnixGroup/users entry, and changed permissions so that only 'read' was checked; hit 'apply'. This behaved wierdly.  I got no error, but all of the permission boxes in the security tab for this group went back to unchecked, and verifying with hpux command getacl /tmp/acltest shows:
# file: /tmp/acltest
# owner: ddmc
# group: users
user::rwx
user:test:rwx
group::r-x
class:rwx
other:r-x
default:user::rwx
default:user:test:rwx
default:group::r--
default:class:rwx
default:other:---
6. I then tried setting full control for this same group, with the same behavior.  No error, and all the permission boxes went to blank, but getacl DOES show that this change was applied to the 'default:group':
# file: /tmp/acltest
# owner: ddmc
# group: users
user::rwx
user:test:rwx
group::rwx
class:rwx
other:r-x
default:user::rwx
default:user:test:rwx
default:group::rwx
default:class:rwx
default:other:---
7. finally, I tried to change the owning user to remove the execute permission: had boxed 'list folder content','read', and 'write' boxes checked, and hit apply, again all the check boxes went back to blank, but getacl shows no change in the acl as a result of this attempt:
# file: /tmp/acltest
# owner: ddmc
# group: users
user::rwx
user:test:rwx
group::rwx
class:rwx
other:r-x
default:user::rwx
default:user:test:rwx
default:group::rwx
default:class:rwx
default:other:---

You can see what's going on in the file (sent separately) named log.acltestDIR-weird.

Finally, I created a new directory, and before adding any other users to the acl list, I simply tried to modify the owning users ace to 'list','read','write'.  When I do this (note that no creator owner or creator group are listed in the acl list from WinXP when the directory is initially created, and in fact does not show up until you ADD another user to the acl list, which makes me think this is probably an issue with applying the default ace on the directory), I get the following error: "Unable to save permission changes on testacl1.  Access is denied."
The debug log for this is log.acltest1DIR-Failed

I'm also sending you our (HP's) lib/sysacls.c, as we have made a number of changes to that code that may not have made it back into the version that you probably worked off of when you created the vfs module; perhaps that will help track down what is happening.

If you have any ideas, give me a yell over email and we can discuss privately, or I can make code changes and retest.

Thanks for all your work!
Don




-----Original Message-----
From: Michael Adam [mailto:ma at sernet.de] 
Sent: Wednesday, April 04, 2007 5:36 PM
To: McCall, Don (GSE-WTEC-Alpharetta); samba-technical at lists.samba.org
Subject: Re: HP-UX ACL code for modularized ACL-implemetation

Hi Don, 

thanks for starting with tests of the module!

The "const char *" vs "char *" warnings are not critical
(hopefully, HP-UX's acl call does not alter the pathp
argument... ;-) and can easily be eliminated.
And yes, the hpux_count_obj function should be of type void.

Keeping these points in mind, I am curious what the
results of the functionality tests will be.

Thanks for now. Best, 

Michael

On Mi, Apr 04, 2007 at 12:13:57 -0400, McCall, Don (GSE-WTEC-Alpharetta) wrote:
> 
> "modules/vfs_hpuxacl.c", line 837: warning #2940-D: missing return statement at 
> end of non-void function "hpux_count_obj"
>   }
>   ^
> 
> Linking bin/smbd
>   ^

Hm, were there any warnings from the linking process? 
Your quote ends here.

-- 
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE


More information about the samba-technical mailing list