ACCESS_DENIED ACL to POSIX Perms conversion.

John Mulligan phlogistonjohn at asynchrono.us
Tue Feb 10 16:01:44 MST 2015


On Tuesday, February 10, 2015 02:33:41 PM Jeremy Allison wrote:
> On Tue, Feb 10, 2015 at 02:12:10PM -0800, Kenny Dinh wrote:
> > Hello,
> > 
> > We have a configuration where SAMBA sits in front of our FUSE file system.
> > Our file system does not support ACL.  We notice that when a Windows user
> > modifies security of a file, an ACCESS_DENIED is returned.  Following the
> > code in source3/smbd/posix_acls.c, the function "set_nt_acl" calls
> > "unpack_canon_ace" to convert Windows ACE format into canonical ACE
> > format.  The call eventually calls two other sub-functions
> > "create_canon_ace_list" and "ensure_canon_entry_valid_on_set".  Both of
> > the
> > two sub-functions, ended up adding additional ACEs to the ACL.  When
> > set_nt_acl function failed to process the ACL, the fall-back path is to
> > try
> > to convert ACL to POSIX permission.  Because the ACL now has more than 3
> > ACEs, the coversion failed with ACCESS_DENIED.
> > 
> > Attached is my attempt to fix the issue.  I created a copy of the security
> > descriptor and used it to in the fall-back path.  I added a flag to
> > prevent
> > any new entries from being added to the original ACL.
> > 
> > Could someone verify if this is the correct fix and push the change if it
> 
> No, it isn't the correct fix I'm afraid.
> 
> If your file system doesn't support ACLs, the
> correct thing to do is to return ENOSYS or
> ENOTSUP when a call into SMB_VFS_SYS_ACL_SET_FILE()
> or any of the other sys_acl_XXX() Samba
> VFS functions are called.
> 
> Samba will then fall back correctly to
> using 3-element permissions ('correctly'
> meaning as best it can :-).

I didn't read the whole patch but at least part of what Kenny is describing 
seems to overlap with this bug I filed a while back: 
https://bugzilla.samba.org/show_bug.cgi?id=10489

I worked around our issue for the time being, but the last time I looked Samba 
4.1 was unable to generate the 3-element perms in any test case I tried.

When I took a stab at it the "adding additional ACEs to the ACL" was surely 
involved in the problem. Somehow the conversion code gets to a point where 
there were too many aces, and for a lack of a better word, gives up. 
Unfortunately it was not a high priority for me and I didn't keep on debugging 
it.


PS. Apologies if you get a duplicate of this, I actually managed to typo my 
own email (!) and I think I was filtered/greylisted.


More information about the samba-technical mailing list