Read ACLs & Samba 4.0.1 Was: [Re: ACLs on Attributes that do not have attributeSecurityGUID]

[Stefan (metze) Metzmacher]

Am 22.01.2013 17:48, schrieb Adam Tauno Williams:
> On Thu, 2013-01-03 at 08:56 +1100, Andrew Bartlett wrote:
>> On Wed, 2013-01-02 at 21:34 +0100, Marc Muehlfeld wrote:
>>> Am 02.01.2013 09:44, schrieb Andrew Bartlett:
>>>> I'm maintaining this (and my summer collection of un-reviewed patches)
>>>> in my acl-read-fixes branch.
>>> I applied all 10 patches from your previous posting on my test environment. 
>>> And now I get the unixHomeDirectory attribute, as non-domain-admin too:
>>> # ldapsearch -h localhost -b "dc=MUC,dc=medizinische-genetik,dc=de" -D 
>>> "CN=nslcd-connect,OU=BackendUsers,dc=MUC,dc=medizinische-genetik,dc=de" -W 
>>> "(&(&(objectClass=user)(uidNumber=*))(sAMAccountName=muehlfeld))" | grep 
>>> unixHomeDirectory
>>> unixHomeDirectory: /home/muehlfeld
>> Thanks.  The issue that we have now is that somehow (and I'm totally
>> stumped as to how), the patch to correct the groups breaks our WRITE ACL
>> tests.  That somehow implies that users now can write to more than they
>> should, which is scary.
>> I simply make this warning because I need to understand this more before
>> I can recommend this for production use, because it seems very wrong. 
>> Anyway, thanks for the testing, I do very much appreciate it. 
> 
> Rolling this fix into 4.0.1 was mentioned earlier in the thread.  I
> assume from the above that the read-ACL fixes are *not* included in
> 4.0.1 [the expected behavior in 4.0.1 is the same as in 4.0.0]?

Yes, 4.0.1 only fixes the security problem, the real fixes will be
in the next bug fix release.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130123/9215dd51/attachment.pgp>