ACL Inheritance and merging of ACEs ...

Fri Jun 14 12:16:46 MDT 2013

On Fri, Jun 14, 2013 at 5:39 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Fri, Jun 14, 2013 at 5:28 AM, Simo <simo at samba.org> wrote:
>> On 06/13/2013 10:18 PM, Richard Sharpe wrote:
>>>
>>> Hi folks,
>>>
>>> There is good evidence from Windows that ACEs are merged when an entry
>>> is added because of CREATOR OWNER or CREATOR GROUP ACEs on a parent.
>>
>>
>> How did you test this ?
>
> With a W2K08R2 server where I set up the parent ACL and a Win7 client
> where I created the new folder.
>
>> I suspect the merging you describe below is done on the client and not on
>> the server, but anything could be.
>
> While I don't currently have a capture, I doubt it. I will get a capture soon.
>
>> What we should start with is a smbtorture
>> test that shows that the server actually does that. If it is the server then
>> we should fix ours.
>
> I will write up an smbtorture test. It also does merging for files,
> but it is more complex for folders.

I know for a couple of reasons that the client is not doing the
merging, one of which is that QA has filed a bug about duplicate ACEs.

Anyhow, attached is a capture of Win7 creating a new folder (xxxyz)
along with using icacls to retrieve the SD. There is no intervening
SETINFO.

Here is what the SD looks like:

cc1# smbcacls //192.168.56.50/c /test1/xxxyz -Unimbus-10/labview\
r\&d%xxxxxxx --numeric
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
REVISION:1
CONTROL:0x8404
OWNER:S-1-5-21-1974519673-996841176-3241138571-1143
GROUP:S-1-5-21-1974519673-996841176-3241138571-513
ACL:S-1-5-18:0/0x13/0x001f01ff
ACL:S-1-5-21-1974519673-996841176-3241138571-1143:0/0x10/0x001f01ff
ACL:S-1-3-0:0/0x1b/0x001f01ff
ACL:S-1-5-21-1974519673-996841176-3241138571-1143:0/0x1b/0x001000a1

>>
>>
>>> Consider this parent folder on Windows:
>>>
>>> cc1# smbcacls //192.168.56.50/c /test1 -Unimbus-10/labview\ r\&d%xxxxxxxxx
>>> Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
>>> Failed to load lowcase.dat, will use lame ASCII-only case sensitivity
>>> rules
>>> REVISION:1
>>> CONTROL:0x9404
>>> OWNER:BUILTIN\Administrators
>>> GROUP:NIMBUS-10\Domain Users
>>> ACL:NIMBUS-10\Administrator:ALLOWED/0x0/FULL
>>> ACL:BUILTIN\Administrators:ALLOWED/0x0/FULL
>>> ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
>>> ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
>>> ACL:NIMBUS-10\Domain Users:ALLOWED/0x0/0x001200af
>>> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI/0x001000a1
>>>
>>> And, as NIMBUS-10\LabVIEW R&D I created a new folder in test1 and got
>>> these permissions:
>>>
>>> cc1# smbcacls //192.168.56.50/c /test1/anewfolder -Unimbus-10/labview\
>>> r\&d%xxxxxx
>>> Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
>>> Failed to load lowcase.dat, will use lame ASCII-only case sensitivity
>>> rules
>>> REVISION:1
>>> CONTROL:0x8404
>>> OWNER:NIMBUS-10\LabVIEW R&D
>>> GROUP:NIMBUS-10\Domain Users
>>> ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
>>> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/I/FULL
>>> ACL:CREATOR OWNER:ALLOWED/OI|CI|IO|I/FULL
>>> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|IO|I/0x001000a1
>>>
>>> Why did I get OI|CI|IO on that last entry (ignoring the I flag for the
>>> moment)?
>>>
>>> That is because this entry:
>>>
>>> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|/0x001000a1
>>>
>>> is actually two entries:
>>>
>>> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/0x0/0x001000a1
>>> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|IO/0x001000a1
>>>
>>> and because there is also this entry from the CREATOR OWNER ACE on the
>>> parent:
>>>
>>> ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/I/FULL
>>>
>>> Windows merged the first non-inheritable entry above, leaving the
>>> entry that says OI|CI|IO.
>>>
>>> We need to take a pass across the ACL after we created the new ACL
>>> from inheritance and merge any ACEs that can be merged. Fortunately,
>>> we only need to consider ACEs where the trustee matches the OWNER and
>>> GROUP SIDs on the new object.
>>>
>>
>>
>> --
>> Simo Sorce
>> Samba Team Member <simo at samba.org>
>> Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
>>
>
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂？唯有杜康。--曹操)

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: create-folder-get-ACL.pcapng
Type: application/octet-stream
Size: 13988 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130614/44529a16/attachment.obj>