smbcacls support for automatic inheritance propagation

Noel Power nopower at suse.com
Wed Nov 6 11:10:30 MST 2013


Hi,

Like it says in the subject I'm attempting to add some support for
automatic inheritance propagation to smbcacls. I have a WIP patch
(attached). But I also have some questions and uncertainties about the
implementation that would be great to get some advice and clarification
about. Firstly I will describe basically what the current incarnation of
the patch does and then I will outline some of the issues that I would
love to get clarification on.

Currently the patch modifies smbcacls to accept a new paramater
'--propagate-inheritance' to be used with the existing '--set,
--delete,--modify & --set' options. With the  '--propagate-inheritance'
option smbcacls tries to behave in a simlar way to icacls.exe while
performing similar operations e.g.

smbcacls  --propagate-inheritance //server1/share1 subpath --add ACL:XXXX

will try to add the ACE(s) contained in ACL passed on the cmdline to
subpath's ACL, furthermore if any of the ACE(s) in ACL have Object,
Container (or both) inheritance flags enabled then the appropriate
inherited ACE flags (and associated permissions) are propagated to
children of subpath. This more or less mirrors the operation of
'icacls.exe path /grant|/deny sid:perm'

smbcacls  --propagate-inheritance //server1/share1 subpath --delete ACL:XXXX

will try to delete the matching ACE(s) contained in ACL passed on the
cmdline from the ACL of subpath, if any of the ACE(s) in ACL have
Object, Container (or both) inheritance flags then the appropriate
inherited ACE is also removed from all children of subpath. This more or
less mirrors the operation of 'icacls.exe path /remove sid' removing the
newly created ( and propagated ) ACE(s) resulting from the previous
'--add' example above, alternatively it mirrors the the result of
removing an ACE via the windows gui.

smbcacls  --propagate-inheritance //server1/share1 subpath --modify ACL:XXXX

will try to overwrite any ACE(s) contained in ACL of subpath that match
ACE(s) passed on the cmdline, any ACE(s) removed or (added) as a result
of being modified that have Object, Container (or both) inheritance
flags enabled will result in the the appropriate inherited ACE being
deleted and/or added to all children of subpath. This more or less
mirrors the operation of 'icacls.exe path /grant|deny:r sid:perm'

smbcacls  --propagate-inheritance //server1/share1 subpath --set ACL:XXXX

will try to replace the ACL of subpath with the ACL passed on the
cmdline, this time any inheritable ACE removed or added as a result of
the 'set' is propagated ( added/removed ) to all children of subpath.
There is no real equivelant operation with icacls.exe or the ui ( afaics )

So, in essense currently the behaviour is the base behaviour of smbcalcs
with an additional step where inheritable ACE(s) are propagated as
inherited ACE(s) applied,removed (or both) from the children of the path
operated on

So, now onto some concerns :)

Firstly I am uncomfortable with '--set' in the context of
'--propagate-inheritance', '--set' replaces the ACL with no regard for
inheritance, if inheritence is enabled you shouldn't be able to replace
things already inherited. I know I said there is no real analogous
operation with icacls.exe but if you consider '--set' which replaces the
ACL at 'subpath' to be a combination of delete ( the existing ACL) and
add ( the new ACL ) then if inheritence is enabled ( and there are
inherited ACL(s) which there almost certainly will be ) attempting to
remove any ( or all ) ACE(s) at subpath using the UI will prompt you
that you need to break inheritence. If you break inheritence then '
--propagate-inheritance' no longer has relevance so imo it doesn't make
much sense to support '--set'. But... as I am finding out this whole
ACL/ACE thing is a minefield, hence my plea for clarification

Secondly as explained smbcacls ( with '--propagate-inheritance' )
provides the base behaviour of smbcalcs with the additional propagation
part. However the base behaviour of smbcacls is powerful and allows you
basically do what you want, for instance neither 'normal' smbcacls or (
with '--propagate-inheritance' ) prevents deletion of an ACE that is
inherited, while imo at least the  '--propagate-inheritance' version
should do it's utmost to ensure that you don't do anything unexpected (
and technically illegal in the context of automatic inheritance )

Ideally I would modify the current patch to disregard '--set' and make
'-add,delete & modify' more restrictive in the context of inheritence
related behaviour. Before I continue to modify this patch though I think
it is time to get some feeback and clarification.


thanks in advance,

Noel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-add-new-propagate-inheritance-option-for-smbcacl.patch
Type: text/x-patch
Size: 24437 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131106/03acce31/attachment.bin>


More information about the samba-technical mailing list