ACCESS_DENIED ACL to POSIX Perms conversion.

Jeremy Allison jra at samba.org
Tue Feb 10 15:33:41 MST 2015


On Tue, Feb 10, 2015 at 02:12:10PM -0800, Kenny Dinh wrote:
> Hello,
> 
> We have a configuration where SAMBA sits in front of our FUSE file system.
> Our file system does not support ACL.  We notice that when a Windows user
> modifies security of a file, an ACCESS_DENIED is returned.  Following the
> code in source3/smbd/posix_acls.c, the function "set_nt_acl" calls
> "unpack_canon_ace" to convert Windows ACE format into canonical ACE
> format.  The call eventually calls two other sub-functions
> "create_canon_ace_list" and "ensure_canon_entry_valid_on_set".  Both of the
> two sub-functions, ended up adding additional ACEs to the ACL.  When
> set_nt_acl function failed to process the ACL, the fall-back path is to try
> to convert ACL to POSIX permission.  Because the ACL now has more than 3
> ACEs, the coversion failed with ACCESS_DENIED.
> 
> Attached is my attempt to fix the issue.  I created a copy of the security
> descriptor and used it to in the fall-back path.  I added a flag to prevent
> any new entries from being added to the original ACL.
> 
> Could someone verify if this is the correct fix and push the change if it

No, it isn't the correct fix I'm afraid.

If your file system doesn't support ACLs, the
correct thing to do is to return ENOSYS or
ENOTSUP when a call into SMB_VFS_SYS_ACL_SET_FILE()
or any of the other sys_acl_XXX() Samba
VFS functions are called.

Samba will then fall back correctly to
using 3-element permissions ('correctly'
meaning as best it can :-).


More information about the samba-technical mailing list