When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries.

Andrew Bartlett abartlet at samba.org
Fri Oct 5 15:27:28 MDT 2012 

On Fri, 2012-10-05 at 08:44 -0700, Jeremy Allison wrote:
> On Fri, Oct 05, 2012 at 06:01:08PM +1000, Andrew Bartlett wrote:
> > On Tue, 2012-10-02 at 22:28 +0200, Jeremy Allison wrote:
> > > commit 6575d1d34fee45c7a965c7c9641cc52b566a9e7f
> > > Author: Jeremy Allison <jra at samba.org>
> > > Date:   Tue Oct 2 10:15:54 2012 -0700
> > > 
> > >     When setting a non-default ACL, don't forget to apply masks to
> > > SMB_ACL_USER and SMB_ACL_GROUP entries.
> > 
> > Jeremy,
> > 
> > With this change, does this mean we have changed the mapping between
> > posix ACLs and NT ACLs?
> > 
> > If so, I'm concerned that any NT ACLs that have been set with
> > vfs_acl_xattr will be invalidated, as the hash won't match up.  
> 
> Andrew, it *never* matters on set, it only matters on get.
> 
> On set we will a re-hash, so changing the mapping on sets
> doesn't matter.

Sure, but this code seems to be in the get codepath,
ensure_canon_entry_valid() is called via canonicalise_acl() from
posix_get_nt_acl_common(). 

Perhaps we can address my concerns another way.  When setting an NT ACL
as a posix ACL, it seems on line 2884 of posix_acls.c:

		/*
		 * ACLs only "need" an ACL_MASK entry if there are any named user or
		 * named group entries. But if there is an ACL_MASK entry, it applies
		 * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
		 * so that it doesn't deny (i.e., mask off) any permissions.
		 */

		if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
			needs_mask = True;
			mask_perms |= p_ace->perms;
		} else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
			mask_perms |= p_ace->perms;
		}

I'm not even entirely sure why posix_get_nt_acl_common() needs to
callcanonicalise_acl(), but at least that we would create a mask such
that applying it when converting back to an NT ACL it would be a no-op,
as we ensure that the bits we want are always in the mask. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list