HP-UX ACL code for modularized ACL-implemetation

Michael Adam ma at sernet.de
Sat Apr 7 09:14:15 GMT 2007


Hi Don!

Thanks for the testing and detailed reporting.
I will study the logs and try to fix the code. 
The behaviour is indeed strange! 

Not sure though it I will make a lot of progress
over the easter weekend, though. ;-)

Best, Michael

On Fr, Apr 06, 2007 at 09:26:06 -0400, McCall, Don (GSE-WTEC-Alpharetta) wrote:
> Hi Michael;
> I'll send you the logs in a private email, so as not to clog up samba-technical, but I have done a few tests:
> Samba 3.0.25pre2 in user level security:
> 
> 1. created directory acltest
> 2. created file acltest/acltest.doc
> 3. using WindowsXP SP2, right clicked on acltest dir, properties/security, advanced/find, chose user 'test'.
> 4. applied 'full control' ace for user 'test' on directory acltest, and applied.  This worked.
> 5. same procedure, but this time applied 'read' ace for user 'test' on file acltest/acltest.doc.  This also worked.  You can see the level 10 debug logs in the file log.acltestDIR-File that I will send separately.
> 
> 6. Attempted to change the ace for the owning group of the file: (Unix Group/users) to read only.  Highlighted the UnixGroup/users entry, and changed permissions so that only 'read' was checked; hit 'apply'. This behaved wierdly.  I got no error, but all of the permission boxes in the security tab for this group went back to unchecked, and verifying with hpux command getacl /tmp/acltest shows:
> # file: /tmp/acltest
> # owner: ddmc
> # group: users
> user::rwx
> user:test:rwx
> group::r-x
> class:rwx
> other:r-x
> default:user::rwx
> default:user:test:rwx
> default:group::r--
> default:class:rwx
> default:other:---
> 6. I then tried setting full control for this same group, with the same behavior.  No error, and all the permission boxes went to blank, but getacl DOES show that this change was applied to the 'default:group':
> # file: /tmp/acltest
> # owner: ddmc
> # group: users
> user::rwx
> user:test:rwx
> group::rwx
> class:rwx
> other:r-x
> default:user::rwx
> default:user:test:rwx
> default:group::rwx
> default:class:rwx
> default:other:---
> 7. finally, I tried to change the owning user to remove the execute permission: had boxed 'list folder content','read', and 'write' boxes checked, and hit apply, again all the check boxes went back to blank, but getacl shows no change in the acl as a result of this attempt:
> # file: /tmp/acltest
> # owner: ddmc
> # group: users
> user::rwx
> user:test:rwx
> group::rwx
> class:rwx
> other:r-x
> default:user::rwx
> default:user:test:rwx
> default:group::rwx
> default:class:rwx
> default:other:---
> 
> You can see what's going on in the file (sent separately) named log.acltestDIR-weird.
> 
> Finally, I created a new directory, and before adding any other users to the acl list, I simply tried to modify the owning users ace to 'list','read','write'.  When I do this (note that no creator owner or creator group are listed in the acl list from WinXP when the directory is initially created, and in fact does not show up until you ADD another user to the acl list, which makes me think this is probably an issue with applying the default ace on the directory), I get the following error: "Unable to save permission changes on testacl1.  Access is denied."
> The debug log for this is log.acltest1DIR-Failed
> 
> I'm also sending you our (HP's) lib/sysacls.c, as we have made a number of changes to that code that may not have made it back into the version that you probably worked off of when you created the vfs module; perhaps that will help track down what is happening.
> 
> If you have any ideas, give me a yell over email and we can discuss privately, or I can make code changes and retest.
> 
> Thanks for all your work!
> Don
> 
> 
> 
> 
> -----Original Message-----
> From: Michael Adam [mailto:ma at sernet.de] 
> Sent: Wednesday, April 04, 2007 5:36 PM
> To: McCall, Don (GSE-WTEC-Alpharetta); samba-technical at lists.samba.org
> Subject: Re: HP-UX ACL code for modularized ACL-implemetation
> 
> Hi Don, 
> 
> thanks for starting with tests of the module!
> 
> The "const char *" vs "char *" warnings are not critical
> (hopefully, HP-UX's acl call does not alter the pathp
> argument... ;-) and can easily be eliminated.
> And yes, the hpux_count_obj function should be of type void.
> 
> Keeping these points in mind, I am curious what the
> results of the functionality tests will be.
> 
> Thanks for now. Best, 
> 
> Michael
> 
> On Mi, Apr 04, 2007 at 12:13:57 -0400, McCall, Don (GSE-WTEC-Alpharetta) wrote:
> > 
> > "modules/vfs_hpuxacl.c", line 837: warning #2940-D: missing return statement at 
> > end of non-void function "hpux_count_obj"
> >   }
> >   ^
> > 
> > Linking bin/smbd
> >   ^
> 
> Hm, were there any warnings from the linking process? 
> Your quote ends here.
> 
> -- 
> Michael Adam <ma at sernet.de>
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.SerNet.DE, mailto: Info @ SerNet.DE

-- 

i.A. Michael Adam

-- 
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE


More information about the samba-technical mailing list