When creating a new file/directory, we need to obey the create mask/directory mask parameters.

Jeremy Allison jra at samba.org
Tue Oct 2 17:33:35 MDT 2012


On Wed, Oct 03, 2012 at 09:16:42AM +1000, Andrew Bartlett wrote:
> On Tue, 2012-10-02 at 22:28 +0200, Jeremy Allison wrote:
> > The branch, master has been updated
> >        via  c251a6b When creating a new file/directory, we need to obey the create mask/directory mask parameters.
> >        via  8f0ecbb Add functions to programatically set the security mask and directory security mask parameters.
> >        via  6575d1d When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries.
> >        via  5d5ddbd Only apply masks on non-default ACL entries when setting the ACL.
> >        via  82e7132 Use is_default_acl variable in canonicalise_acl().
> >        via  efb446a Reformat spacing to be even.
> >       from  a168a7c tdb: Fix a typo
> > 
> > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> > 
> > 
> > - Log -----------------------------------------------------------------
> > commit c251a6b0442abc13bc8be4ff8de324c1d7706a78
> > Author: Jeremy Allison <jra at samba.org>
> > Date:   Tue Oct 2 10:25:14 2012 -0700
> > 
> >     When creating a new file/directory, we need to obey the create mask/directory mask parameters.
> >     
> >     Currently we call FSET_NT_ACL to inherit any ACLs on create. However
> >     FSET_NT_ACL uses the security mask/directory security mask parameters
> >     instead of the create mask/directory mask parameters.
> >     
> >     Swap them temporarily when creating to ensure the correct masks
> >     are applied.
> >     
> >     Autobuild-User(master): Jeremy Allison <jra at samba.org>
> >     Autobuild-Date(master): Tue Oct  2 22:27:17 CEST 2012 on sn-devel-104
> 
> Jeremy,
> 
> Why couldn't we just pass in the information to FSET_NT_ACL so it can
> use the correct parameters in the first place? 
> 
> I really dislike the idea of changing the smb.conf parameters
> mid-execution like this.  It breaks the abstractions horribly, creates
> confusion in the code (because the lower layers don't know that they are
> not really using this parameter), and it will make it much harder to
> reform the smb.conf loading layer.
> 
> Can you please rework this to pass in a file/directory flag?

That means a VFS API change, which is why I didn't do it that
way originally.

I'll leave the patch as-is for 4.0.0, but I will examine modifying
the VFS API for 4.1.

The underlying problem is inside the default CreateFile
call (which does know the file/directory was created)
we need to call FSET_NT_ACL (which doesn't know this
is a create operation). Even though the VFS has
CreateFile, it's not atomic at the lower layers.

Jeremy.


More information about the samba-technical mailing list