ACCESS_DENIED ACL to POSIX Perms conversion.

Kenny Dinh kdinh at peaxy.net
Tue Feb 10 15:12:10 MST 2015


Hello,

We have a configuration where SAMBA sits in front of our FUSE file system.
Our file system does not support ACL.  We notice that when a Windows user
modifies security of a file, an ACCESS_DENIED is returned.  Following the
code in source3/smbd/posix_acls.c, the function "set_nt_acl" calls
"unpack_canon_ace" to convert Windows ACE format into canonical ACE
format.  The call eventually calls two other sub-functions
"create_canon_ace_list" and "ensure_canon_entry_valid_on_set".  Both of the
two sub-functions, ended up adding additional ACEs to the ACL.  When
set_nt_acl function failed to process the ACL, the fall-back path is to try
to convert ACL to POSIX permission.  Because the ACL now has more than 3
ACEs, the coversion failed with ACCESS_DENIED.

Attached is my attempt to fix the issue.  I created a copy of the security
descriptor and used it to in the fall-back path.  I added a flag to prevent
any new entries from being added to the original ACL.

Could someone verify if this is the correct fix and push the change if it
is.

Thanks,
Kenny Dinh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: posix_perms_patch
Type: application/octet-stream
Size: 9704 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150210/59288b15/attachment.obj>


More information about the samba-technical mailing list