Fixing ACL Issues
Nagaraj Shyam
Nagaraj_Shyam at symantec.com
Tue Sep 7 12:41:20 MDT 2010
Hi All,
I had posted an email earlier enquiring about the reason for
source4/bin/smbtorture RAW-ACLS test failures in samba 3.5.4. In my
test configuration, I have "store dos attributes = yes",
"ea support = yes", "vfs object = acl_xattr" for the test share. Most
of the tests are failing because the function:
Smbd daemon calls create_canon_ace_lists() subsequently from
fset_nt_acl_common() which does not find a <uid,gid> mapping for the
test SID S-1-5-32-1234-5432 referred to in one of the ACEs in the ACL
sent over the wire. create_cannon_ace_lists() will remove the ACE
containing the S-1-5-32-1234-5432 SID. Further on, create_acl_blob()
and store_acl_blob_fsp() store the cannonicalized ACL and return
success.
1. This is not the same behavior seen on windows servers which
store the blob even if it refers to a SID that it doesn't recognize.
Shouldn't smbd be doing the same, especially if acl_xattr is the vfs
module doing the ACL storage retrieval?
2. If acl_xattr was not the vfs module doing the ACL
storage/retrieval (and posix acls were used instead), then if the
create_cannon_ace_lists() finds an unrecognized SID, shouldn't a error
be returned to the smb command over the wire, instead of storing a
different ACL than what the client wants and returning success?
se_access_check() which does the actual ACL evaluation seems to be
capable of handling unrecognized SIDs.
Thanks for any comments/answers to the above.
-Shyam
More information about the samba-technical
mailing list