ACCESS_DENIED ACL to POSIX Perms conversion.
kdinh at peaxy.net
Tue Feb 10 18:30:34 MST 2015
Thank you for reviewing. Since this issue is low priority, I apologize for
taking a little more of your time.
I understood your suggestions and will explore those paths. Due to
security reason, I understood that
the patch should not get pushed upstream.
For the sake of discussion, I just want to clarify a few points before
ending the thread.
1) Yes, the check in "convert_canon_ace_to_posix_perms" is where I
encountered the error.
However, the extra entries were added by SAMBA. Windows user sent only 3
ACEs, but the
two functions I mentioned earlier, "create_canon_ace_list" and
added 2 additional ACEs.
The attached snapshot of Wireshark show the requests being sent with 3 ACEs.
[image: Inline image 1]
However, in the log file, two new ACEs were added, canon_ace index 1
(SMB_ACL_USER), and 4(SMB_ACL_GROUP)
[2015/02/10 17:04:37.201078, 10, pid=22591, effective(10500, 10513),
real(10500, 0), class=acls]
print_canon_ace_list: file ace - before merge
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID =
S-1-5-21-4189473893-3250479902-1333435561-1110 uid 11110 (testgroup1)
SMB_ACL_USER ace_flags = 0x0 perms r--
canon_ace index 2. Type = allow SID =
S-1-5-21-4189473893-3250479902-1333435561-1110 gid 11110 (testgroup1)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r--
canon_ace index 3. Type = allow SID =
S-1-5-21-4189473893-3250479902-1333435561-500 uid 10500 (administrator)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 4. Type = allow SID =
S-1-5-21-4189473893-3250479902-1333435561-500 gid 10500 (administrator)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
[2015/02/10 17:04:37.206550, 10, pid=22591, effective(10500, 10513),
real(10500, 0), class=acls]
2) "simply strips out everything except u/g/o
permissions" - Not entirely correct. The code only strip out the extra
entries that were added
by "create_canon_ace_list" and "ensure_canon_entry_valid_on_set".
the addition canon_ace index 1, and 4, from being added. Each ACE is set
or SMB_ACL_GROUP_OBJ, depends on whether the SID represents a user or a
All ACEs that Windows client sent are preserved. If client send 4 ACEs,
"convert_canon_ace_to_posix_perms" will see 4 ACEs.
Hope this clarify things a bit.
On Tue, Feb 10, 2015 at 3:20 PM, Jeremy Allison <jra at samba.org> wrote:
> On Tue, Feb 10, 2015 at 06:01:44PM -0500, John Mulligan wrote:
> > I didn't read the whole patch but at least part of what Kenny is
> > seems to overlap with this bug I filed a while back:
> > https://bugzilla.samba.org/show_bug.cgi?id=10489
> > I worked around our issue for the time being, but the last time I looked
> > 4.1 was unable to generate the 3-element perms in any test case I tried.
> > When I took a stab at it the "adding additional ACEs to the ACL" was
> > involved in the problem. Somehow the conversion code gets to a point
> > there were too many aces, and for a lack of a better word, gives up.
> > Unfortunately it was not a high priority for me and I didn't keep on
> > it.
> Ah, I remember that bug - thanks for jogging my memory.
> Unfortunately making Samba work on top of filesystems
> with no ACLs is somewhat of a low priority - I'm not
> sure we can do it to fail safely in any case.
> I think the approach I suggested in the other email
> would work, although for security reasons I don't
> think we can use that upstream.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 49082 bytes
Desc: not available
More information about the samba-technical