Who should be the owner of newly created files when the creator is in the local Administrators group

simo idra at samba.org
Mon Apr 30 14:47:23 MDT 2012

On Mon, 2012-04-30 at 13:24 -0700, Jeremy Allison wrote: 
> On Mon, Apr 30, 2012 at 01:18:47PM -0700, Richard Sharpe wrote:
> > >>
> > >> Well, if acl_xattr (or even acl_tdb) is in use, we do not care at all
> > >> about POSIX groups.
> > >
> > > That's not true at all, even when using acl_xattr we still fill in posix
> > > ACLs, as that's what's used by the system, and we still let the kernel
> > > us posix acls to check access to the file (mostly :).
> > 
> > Oh my, so you mean that the system I work on works by magic? We have
> > no posix ACLs and do not let any such thing get passed to the
> > underlying file system (and it is accessed via user space.)
> > 
> > >> So, from my perspective, modules/vfs_acl_common.c can get it right and
> > >> things will be fine.
> > >
> > > It's more complex that that, afaicr.
> > 
> > I yield to your superior knowledge of the code I have been working on.
> > 
> > > Jeremy,
> > > care to comment ?
> Now now children, no more aguing or you both go to bed
> without any milk and cookies :-) :-).
> If sid_to_uid() "just works" (tm) for an incoming group-as-owner
> and returns a valid uid, then the posix_acl code will not
> know any different, and if we're using the xattr store for
> the Windows ACL on top, then Windows won't know any different
> either.
> The magic part is making sid_to_uid() "just work" when
> given an owner SID of DOMAIN\Administrators. That's the
> part I'm least competent to comment on, as it's in the
> realm of Simo and id-mapping. So I won't :-).

It really depends on how idmapping is done.
For example if you take a samba system that uses /etc/passwd and just
maps users/groups to system users/groups it will probably not work well,
as you cannot guarantee that when gid 12345 is assigned to Domain
Administrators that uid 12345 is free to use and not assigend to a legal

We can do this only for users that are idmapped with an idamp module
that unifies the ID spaces and never allow a uid number to be used as a
gid for an unrelated group and vice versa.

However we *could* have a special mapper for gid ownership for the cases
when a suitable idmapping module cannot be used (ie all cases where ids
are assigned manually or inherited by older installs). This mapper would
grab a new uid space area and just allocate uids when the ACL code needs
one to set a group as an owner. However this stuff would complicate
imdapping even more.

So an we make sid_to_uid() just work ? Maybe, but it really depends on
where you want to balance the complexity of this stuff. I would restrict
the applicable cases and make it possible only when a specific idmap
module is use, OEMs/NAS vendors wouldn't have huge issues with this.


Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list