ACCESS_DENIED ACL to POSIX Perms conversion.

Kenny Dinh kdinh at
Tue Feb 10 15:12:10 MST 2015


We have a configuration where SAMBA sits in front of our FUSE file system.
Our file system does not support ACL.  We notice that when a Windows user
modifies security of a file, an ACCESS_DENIED is returned.  Following the
code in source3/smbd/posix_acls.c, the function "set_nt_acl" calls
"unpack_canon_ace" to convert Windows ACE format into canonical ACE
format.  The call eventually calls two other sub-functions
"create_canon_ace_list" and "ensure_canon_entry_valid_on_set".  Both of the
two sub-functions, ended up adding additional ACEs to the ACL.  When
set_nt_acl function failed to process the ACL, the fall-back path is to try
to convert ACL to POSIX permission.  Because the ACL now has more than 3
ACEs, the coversion failed with ACCESS_DENIED.

Attached is my attempt to fix the issue.  I created a copy of the security
descriptor and used it to in the fall-back path.  I added a flag to prevent
any new entries from being added to the original ACL.

Could someone verify if this is the correct fix and push the change if it

Kenny Dinh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: posix_perms_patch
Type: application/octet-stream
Size: 9704 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list