ACCESS_DENIED ACL to POSIX Perms conversion.

Wed Feb 11 10:49:27 MST 2015

On Tue, Feb 10, 2015 at 10:26:13PM -0800, Kenny Dinh wrote:
> Attached is the level 10 log.Â  If you search "set_nt_acl", you will
> find the entry of function where the operation begins.
> 
> "Ah I see. But isn't that still going to fail
> against your FUSE filesystem that doesn't allow
> more than u/g/o"
> Yes, the request will fail if the user sends an ACL that does not have exactly
> u/g/o.
> 
> What I wanted the code to do was trying to make the "best effort" in
> the fall back logic.
> Since the back end does not support POSIX ACLs, and IFF there are exactly u/g/
> o ACEs in the DACL,
> I would attempt to translate the permissions.
> 
> It is clear to me now that this 'hack' applies only a very limited set of use
> case.
> 
> Thanks again for your time, Jeremy!

No problem - I still think a less intrusive change
that would have the same effect is the following:

Let me know if this works for you (it can't go into
mainline, but it's a much smaller seperate patch to
carry if you need to keep this going forward).
-------------- next part --------------

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 6a5ec85..1bc3b09 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3085,12 +3085,14 @@ static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file
 	canon_ace *group_ace = NULL;
 	canon_ace *other_ace = NULL;
 
+#if 0
 	if (ace_count != 3) {
 		DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
 			 "entries for file %s to convert to posix perms.\n",
 			 fsp_str_dbg(fsp)));
 		return False;
 	}
+#endif
 
 	for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
 		if (ace_p->owner_type == UID_ACE)
