ACCESS_DENIED ACL to POSIX Perms conversion.
kdinh at peaxy.net
Tue Feb 10 15:12:10 MST 2015
We have a configuration where SAMBA sits in front of our FUSE file system.
Our file system does not support ACL. We notice that when a Windows user
modifies security of a file, an ACCESS_DENIED is returned. Following the
code in source3/smbd/posix_acls.c, the function "set_nt_acl" calls
"unpack_canon_ace" to convert Windows ACE format into canonical ACE
format. The call eventually calls two other sub-functions
"create_canon_ace_list" and "ensure_canon_entry_valid_on_set". Both of the
two sub-functions, ended up adding additional ACEs to the ACL. When
set_nt_acl function failed to process the ACL, the fall-back path is to try
to convert ACL to POSIX permission. Because the ACL now has more than 3
ACEs, the coversion failed with ACCESS_DENIED.
Attached is my attempt to fix the issue. I created a copy of the security
descriptor and used it to in the fall-back path. I added a flag to prevent
any new entries from being added to the original ACL.
Could someone verify if this is the correct fix and push the change if it
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 9704 bytes
Desc: not available
More information about the samba-technical