smbcacls support for automatic inheritance propagation
David Disseldorp
ddiss at suse.de
Thu Jan 30 10:20:51 MST 2014
On Thu, 30 Jan 2014 15:41:00 +0000, Noel Power wrote:
> On 29/01/14 17:50, David Disseldorp wrote:
> > 1651 d_printf("Inheritance enabled at %s, can't apply set operation\n",filename);
> > 1652 result = NT_STATUS_UNSUCCESSFUL;
> >
> > - why is this considered an error, does icacls.exe behave similarly in
> > such a case?
> No, but.. there is no real equivalent to set with iacacls. Also because
> smbcacls --set replaces the ACL with the
> ACL specified on the command-line (with no regard to any inherited
> parent acls) and we issue the --propagate-inheritance indicating we wish
> to honour inheritance we would more than likely be setting non-senisical
> values here. Actually probably what was intended was --add, for that
> reason I inhibit set via an error, if we wish we could remove that error
> and issue a warning instead and continue to propagate, I'm ok with that.
> I see in some of the previous email some confusing comments from me)
> about this (including a comment indicating I was no longer uncomfortable
> with '--set' in the context of --propagate-inheritance) I have no idea
> what I meant there (because I am uncomfortable with it :-)) So.. what do
> you think change this to a warning?
Given it would stomp on any inherited permissions in the tree below, I
tend to agree that bailing out on non-protected set is the best thing
to do for now.
> > 1526 /* find acl(s) that are inherited */
> > 1527 for (j = 0; old->dacl && j < old->dacl->num_aces; j++) {
> > 1528
> > 1529 if (old->dacl->aces[j].flags & SEC_ACE_FLAG_INHERITED_ACE) {
> > 1530 if (!add_ace_with_ctx(aclctx, &acl_to_remove,
> > 1531 &old->dacl->aces[j])) {
> > 1532 status = NT_STATUS_NO_MEMORY;
> > 1533 goto out;
> > 1534 }
> > 1535 }
> > 1536 }
> > 1537
> > 1538 /* remove any acl(s) that are inherited */
> > 1539 if (acl_to_remove) {
> > 1540 for (i = 0; i < acl_to_remove->num_aces; i++) {
> > 1541 struct security_ace ace = acl_to_remove->aces[i];
> > 1542 for (j = 0; old->dacl && j < old->dacl->num_aces; j++) {
> > 1543
> > 1544 if (sec_ace_equal(&ace,
> > 1545 &old->dacl->aces[j])) {
> > 1546 uint32 k;
> > 1547 for (k = j; k < old->dacl->num_aces-1;
> > 1548 k++) {
> > 1549 old->dacl->aces[k] =
> > 1550 old->dacl->aces[k+1];
> > 1551 }
> > 1552 old->dacl->num_aces--;
> > 1553 break;
> > 1554 }
> > 1555 }
> > 1556 }
> > 1557 }
> > - This code looks waaaaay too complex for what it's doing. IIUC it
> > determines which ACEs can be removed from the existing ACL, and then
> > removes them by collapsing the array in the subsequent loop.
> hmm, not sure I agree with the 'waaaay too complex' possibly I am tunnel
> visioned :-)
> > - sec_ace_equal() is used to check whether the ACE should be
> > removed, but couldn't this also match an explicit
> > (non-inherited) ACE?
> not sure I understand what you mean ?
I thought sec_ace_equal() was only doing a trustee SID comparison. Turns
out it does a full comparison, so your logic was okay :)
> > - Isn't it possible to build a new ACL in the first iteration,
> > ignoring inherited ACEs. Then combine it with acl_to_add.
> sure, I guess, it would save a loop, will do that
> > - What happens in the following scenario:
> > parent_dir
> > +---child_dir
> > +-----nested_file
> > 1) setacl(parent_dir, allow:ddiss:read, OI)
> > 2) setacl(child_dir, allow:noelp:write, OI)
> > Does nested_file end up with both allow: ACEs, or would propagation
> > during setacl(child_dir,...) remove the inherited allow:ddiss ACE?
> it would remove it (if set would work) but remember from above
> attempting to set is prohibited
Would it remain on --add, --modify and --delete?
Cheers, David
More information about the samba-technical
mailing list