When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries.
Andrew Bartlett
abartlet at samba.org
Fri Oct 5 15:27:28 MDT 2012
On Fri, 2012-10-05 at 08:44 -0700, Jeremy Allison wrote:
> On Fri, Oct 05, 2012 at 06:01:08PM +1000, Andrew Bartlett wrote:
> > On Tue, 2012-10-02 at 22:28 +0200, Jeremy Allison wrote:
> > > commit 6575d1d34fee45c7a965c7c9641cc52b566a9e7f
> > > Author: Jeremy Allison <jra at samba.org>
> > > Date: Tue Oct 2 10:15:54 2012 -0700
> > >
> > > When setting a non-default ACL, don't forget to apply masks to
> > > SMB_ACL_USER and SMB_ACL_GROUP entries.
> >
> > Jeremy,
> >
> > With this change, does this mean we have changed the mapping between
> > posix ACLs and NT ACLs?
> >
> > If so, I'm concerned that any NT ACLs that have been set with
> > vfs_acl_xattr will be invalidated, as the hash won't match up.
>
> Andrew, it *never* matters on set, it only matters on get.
>
> On set we will a re-hash, so changing the mapping on sets
> doesn't matter.
Sure, but this code seems to be in the get codepath,
ensure_canon_entry_valid() is called via canonicalise_acl() from
posix_get_nt_acl_common().
Perhaps we can address my concerns another way. When setting an NT ACL
as a posix ACL, it seems on line 2884 of posix_acls.c:
/*
* ACLs only "need" an ACL_MASK entry if there are any named user or
* named group entries. But if there is an ACL_MASK entry, it applies
* to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
* so that it doesn't deny (i.e., mask off) any permissions.
*/
if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
needs_mask = True;
mask_perms |= p_ace->perms;
} else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
mask_perms |= p_ace->perms;
}
I'm not even entirely sure why posix_get_nt_acl_common() needs to
callcanonicalise_acl(), but at least that we would create a mask such
that applying it when converting back to an NT ACL it would be a no-op,
as we ensure that the bits we want are always in the mask.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list