ACL Inheritance and merging of ACEs ...

Simo simo at samba.org
Fri Jun 14 06:28:04 MDT 2013 

On 06/13/2013 10:18 PM, Richard Sharpe wrote:
> Hi folks,
>
> There is good evidence from Windows that ACEs are merged when an entry
> is added because of CREATOR OWNER or CREATOR GROUP ACEs on a parent.

How did you test this ?
I suspect the merging you describe below is done on the client and not 
on the server, but anything could be. What we should start with is a 
smbtorture test that shows that the server actually does that. If it is 
the server then we should fix ours.

Simo.

> Consider this parent folder on Windows:
>
> cc1# smbcacls //192.168.56.50/c /test1 -Unimbus-10/labview\ r\&d%xxxxxxxxx
> Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
> Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
> REVISION:1
> CONTROL:0x9404
> OWNER:BUILTIN\Administrators
> GROUP:NIMBUS-10\Domain Users
> ACL:NIMBUS-10\Administrator:ALLOWED/0x0/FULL
> ACL:BUILTIN\Administrators:ALLOWED/0x0/FULL
> ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
> ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
> ACL:NIMBUS-10\Domain Users:ALLOWED/0x0/0x001200af
> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI/0x001000a1
>
> And, as NIMBUS-10\LabVIEW R&D I created a new folder in test1 and got
> these permissions:
>
> cc1# smbcacls //192.168.56.50/c /test1/anewfolder -Unimbus-10/labview\
> r\&d%xxxxxx
> Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
> Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
> REVISION:1
> CONTROL:0x8404
> OWNER:NIMBUS-10\LabVIEW R&D
> GROUP:NIMBUS-10\Domain Users
> ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/I/FULL
> ACL:CREATOR OWNER:ALLOWED/OI|CI|IO|I/FULL
> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|IO|I/0x001000a1
>
> Why did I get OI|CI|IO on that last entry (ignoring the I flag for the moment)?
>
> That is because this entry:
>
> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|/0x001000a1
>
> is actually two entries:
>
> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/0x0/0x001000a1
> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|IO/0x001000a1
>
> and because there is also this entry from the CREATOR OWNER ACE on the parent:
>
> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/I/FULL
>
> Windows merged the first non-inheritable entry above, leaving the
> entry that says OI|CI|IO.
>
> We need to take a pass across the ACL after we created the new ACL
> from inheritance and merge any ACEs that can be merged. Fortunately,
> we only need to consider ACEs where the trustee matches the OWNER and
> GROUP SIDs on the new object.
>


-- 
Simo Sorce
Samba Team Member <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list