[PATCH] Add "zfsacl:force inheritance special id ace" parameter
SATOH Fumiyasu
fumiyas at osstech.co.jp
Sat Feb 11 02:04:14 MST 2012
Append the non-effective ACE 'everyone@::fd:allow' if the
specified ACL has no inheritance special id ACE.
When a directory has no inheritance special id ACE (i.e.,
'owner@', 'group@' and 'everyone@' with inheritance flags),
a new file under the directory inherits the ACL with unexpected
DENY special id ACEs. It is NOT compatible with Windows explorer
ACL editor.
$ uname -a
SunOS fmys-s10 5.10 Generic_142910-17 i86pc i386 i86pc
$ zfs get aclinherit rpool/share
NAME PROPERTY VALUE SOURCE
rpool/share aclinherit passthrough local
$ mkdir dir
$ chmod A=group:staff:rwxpd-aARWcCos:fd----:allow dir
$ touch dir/file-inherit-bad-ace
$ ls -dV dir dir/file-inherit-bad-ace
d---------+ 2 root root 3 Feb 11 19:01 dir
group:staff:rwxpd-aARWcCos:fd----:allow
-rw-r--r--+ 1 root root 0 Feb 11 19:01 dir/file-inherit-bad-ace
group:staff:-wxp----------:------:deny
group:staff:rwxpd-aARWcCos:------:allow
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
$ chmod A1+everyone@::fd:allow dir
$ touch dir/file-inherit-good-ace
$ ls -dV dir dir/file-inherit-good-ace
d---------+ 2 root root 4 Feb 11 19:02 dir
group:staff:rwxpd-aARWcCos:fd----:allow
everyone@:--------------:fd----:allow
----------+ 1 root root 0 Feb 11 19:02 dir/file-inherit-good-ace
group:staff:rwxpd-aARWcCos:------:allow
everyone@:--------------:------:allow
---
source3/modules/vfs_zfsacl.c | 36 +++++++++++++++++++++++++++++++++++-
1 files changed, 35 insertions(+), 1 deletions(-)
diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c
index 286720a..a9e078c 100644
--- a/source3/modules/vfs_zfsacl.c
+++ b/source3/modules/vfs_zfsacl.c
@@ -113,10 +113,12 @@ static bool zfs_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
SMB4ACE_T *smbace;
TALLOC_CTX *mem_ctx;
bool have_special_id = false;
+ bool have_file_inheritance_special_id = false;
+ bool have_dir_inheritance_special_id = false;
/* allocate the field of ZFS aces */
mem_ctx = talloc_tos();
- acebuf = (ace_t *) talloc_size(mem_ctx, sizeof(ace_t)*naces);
+ acebuf = (ace_t *) talloc_size(mem_ctx, sizeof(ace_t)*(naces+1));
if(acebuf == NULL) {
errno = ENOMEM;
return False;
@@ -151,6 +153,13 @@ static bool zfs_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
continue; /* don't add it !!! */
}
have_special_id = true;
+ if (acebuf[i].a_flags & ACE_FILE_INHERIT_ACE) {
+ have_file_inheritance_special_id = true;
+ }
+ if (acebuf[i].a_flags & ACE_DIRECTORY_INHERIT_ACE &&
+ !(acebuf[i].a_flags & ACE_NO_PROPAGATE_INHERIT_ACE)) {
+ have_dir_inheritance_special_id = true;
+ }
}
}
@@ -163,6 +172,31 @@ static bool zfs_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
SMB_ASSERT(i == naces);
+ /* Solaris 10 hack: Append the non-effective ACE
+ * 'everyone@::fd:allow' if the specified ACL has no
+ * inheritance special id ACE.
+ *
+ * When a directory has no inheritance special id ACE
+ * (i.e., 'owner@', 'group@' and 'everyone@' with
+ * inheritance flags), a new file under the directory
+ * inherits the ACL with unexpected DENY special id
+ * ACEs. It is NOT compatible with Windows explorer
+ * ACL editor.
+ */
+ if ((!have_file_inheritance_special_id || !have_dir_inheritance_special_id) &&
+ lp_parm_bool(fsp->conn->params->service, "zfsacl",
+ "force inheritance special id ace",
+ false)) {
+ acebuf[naces].a_type = ACE_ACCESS_ALLOWED_ACE_TYPE;
+ acebuf[naces].a_flags =
+ ACE_EVERYONE |
+ ACE_FILE_INHERIT_ACE |
+ ACE_DIRECTORY_INHERIT_ACE;
+ acebuf[naces].a_access_mask = 0;
+ acebuf[naces].a_who = 0;
+ naces++;
+ }
+
/* store acl */
if(acl(fsp->fsp_name->base_name, ACE_SETACL, naces, acebuf)) {
if(errno == ENOSYS) {
--
1.7.9
More information about the samba-technical
mailing list