ACCESS_DENIED ACL to POSIX Perms conversion.
jra at samba.org
Tue Feb 10 22:03:37 MST 2015
On Tue, Feb 10, 2015 at 05:30:34PM -0800, Kenny Dinh wrote:
> Thank you for reviewing. Since this issue is low priority, I apologize for
> taking a little more of your time.
> I understood your suggestions and will explore those paths. Due to
> security reason, I understood that
> the patch should not get pushed upstream.
> For the sake of discussion, I just want to clarify a few points before
> ending the thread.
> 1) Yes, the check in "convert_canon_ace_to_posix_perms" is where I
> encountered the error.
> However, the extra entries were added by SAMBA. Windows user sent only 3
> ACEs, but the
> two functions I mentioned earlier, "create_canon_ace_list" and
> added 2 additional ACEs.
> The attached snapshot of Wireshark show the requests being sent with 3 ACEs.
> [image: Inline image 1]
> However, in the log file, two new ACEs were added, canon_ace index 1
> (SMB_ACL_USER), and 4(SMB_ACL_GROUP)
Yeah, but that can happen for correctness. I'd need
to see a debug level 10 log to see what Windows wanted
to understand why we added the 2 extra entries.
Might be a winbindd doing a user+group addition
as we have to map groups to users also sometimes in order
to allow files to appear to be owned by a group.
> [2015/02/10 17:04:37.201078, 10, pid=22591, effective(10500, 10513),
> real(10500, 0), class=acls]
> print_canon_ace_list: file ace - before merge
> canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> ace_flags = 0x0 perms rwx
> canon_ace index 1. Type = allow SID =
> S-1-5-21-4189473893-3250479902-1333435561-1110 uid 11110 (testgroup1)
> SMB_ACL_USER ace_flags = 0x0 perms r--
> canon_ace index 2. Type = allow SID =
> S-1-5-21-4189473893-3250479902-1333435561-1110 gid 11110 (testgroup1)
> SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r--
> canon_ace index 3. Type = allow SID =
> S-1-5-21-4189473893-3250479902-1333435561-500 uid 10500 (administrator)
> SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
> canon_ace index 4. Type = allow SID =
> S-1-5-21-4189473893-3250479902-1333435561-500 gid 10500 (administrator)
> SMB_ACL_GROUP ace_flags = 0x0 perms rwx
> [2015/02/10 17:04:37.206550, 10, pid=22591, effective(10500, 10513),
> real(10500, 0), class=acls]
> 2) "simply strips out everything except u/g/o
> permissions" - Not entirely correct. The code only strip out the extra
> entries that were added
> by "create_canon_ace_list" and "ensure_canon_entry_valid_on_set".
> Essentially, preventing
> the addition canon_ace index 1, and 4, from being added. Each ACE is set
> with SMB_ACL_USER_OBJ,
> or SMB_ACL_GROUP_OBJ, depends on whether the SID represents a user or a
> All ACEs that Windows client sent are preserved. If client send 4 ACEs,
> "convert_canon_ace_to_posix_perms" will see 4 ACEs.
> Hope this clarify things a bit.
Ah I see. But isn't that still going to fail
against your FUSE filesystem that doesn't allow
more than u/g/o ?
What do you *want* this code to do for you ?
More information about the samba-technical