Read ACLs & Samba 4.0.1 Was: [Re: ACLs on Attributes that do not have attributeSecurityGUID]
Andrew Bartlett
abartlet at samba.org
Tue Jan 22 14:28:54 MST 2013
On Tue, 2013-01-22 at 11:48 -0500, Adam Tauno Williams wrote:
> On Thu, 2013-01-03 at 08:56 +1100, Andrew Bartlett wrote:
> > On Wed, 2013-01-02 at 21:34 +0100, Marc Muehlfeld wrote:
> > > Am 02.01.2013 09:44, schrieb Andrew Bartlett:
> > > > I'm maintaining this (and my summer collection of un-reviewed patches)
> > > > in my acl-read-fixes branch.
> > > I applied all 10 patches from your previous posting on my test environment.
> > > And now I get the unixHomeDirectory attribute, as non-domain-admin too:
> > > # ldapsearch -h localhost -b "dc=MUC,dc=medizinische-genetik,dc=de" -D
> > > "CN=nslcd-connect,OU=BackendUsers,dc=MUC,dc=medizinische-genetik,dc=de" -W
> > > "(&(&(objectClass=user)(uidNumber=*))(sAMAccountName=muehlfeld))" | grep
> > > unixHomeDirectory
> > > unixHomeDirectory: /home/muehlfeld
> > Thanks. The issue that we have now is that somehow (and I'm totally
> > stumped as to how), the patch to correct the groups breaks our WRITE ACL
> > tests. That somehow implies that users now can write to more than they
> > should, which is scary.
> > I simply make this warning because I need to understand this more before
> > I can recommend this for production use, because it seems very wrong.
> > Anyway, thanks for the testing, I do very much appreciate it.
>
> Rolling this fix into 4.0.1 was mentioned earlier in the thread. I
> assume from the above that the read-ACL fixes are *not* included in
> 4.0.1 [the expected behavior in 4.0.1 is the same as in 4.0.0]?
4.0.1 is a security release, addressing the underlying reason why the
patches broke our write ACL tests (they exposed a nasty security hole).
4.0.2 will have much more correct behaviour here.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list