When creating a new file/directory, we need to obey the create mask/directory mask parameters.
jra at samba.org
Tue Oct 2 17:33:35 MDT 2012
On Wed, Oct 03, 2012 at 09:16:42AM +1000, Andrew Bartlett wrote:
> On Tue, 2012-10-02 at 22:28 +0200, Jeremy Allison wrote:
> > The branch, master has been updated
> > via c251a6b When creating a new file/directory, we need to obey the create mask/directory mask parameters.
> > via 8f0ecbb Add functions to programatically set the security mask and directory security mask parameters.
> > via 6575d1d When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries.
> > via 5d5ddbd Only apply masks on non-default ACL entries when setting the ACL.
> > via 82e7132 Use is_default_acl variable in canonicalise_acl().
> > via efb446a Reformat spacing to be even.
> > from a168a7c tdb: Fix a typo
> > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> > - Log -----------------------------------------------------------------
> > commit c251a6b0442abc13bc8be4ff8de324c1d7706a78
> > Author: Jeremy Allison <jra at samba.org>
> > Date: Tue Oct 2 10:25:14 2012 -0700
> > When creating a new file/directory, we need to obey the create mask/directory mask parameters.
> > Currently we call FSET_NT_ACL to inherit any ACLs on create. However
> > FSET_NT_ACL uses the security mask/directory security mask parameters
> > instead of the create mask/directory mask parameters.
> > Swap them temporarily when creating to ensure the correct masks
> > are applied.
> > Autobuild-User(master): Jeremy Allison <jra at samba.org>
> > Autobuild-Date(master): Tue Oct 2 22:27:17 CEST 2012 on sn-devel-104
> Why couldn't we just pass in the information to FSET_NT_ACL so it can
> use the correct parameters in the first place?
> I really dislike the idea of changing the smb.conf parameters
> mid-execution like this. It breaks the abstractions horribly, creates
> confusion in the code (because the lower layers don't know that they are
> not really using this parameter), and it will make it much harder to
> reform the smb.conf loading layer.
> Can you please rework this to pass in a file/directory flag?
That means a VFS API change, which is why I didn't do it that
I'll leave the patch as-is for 4.0.0, but I will examine modifying
the VFS API for 4.1.
The underlying problem is inside the default CreateFile
call (which does know the file/directory was created)
we need to call FSET_NT_ACL (which doesn't know this
is a create operation). Even though the VFS has
CreateFile, it's not atomic at the lower layers.
More information about the samba-technical