Rename is allowed after setting ACL

[VigneshDhanraj G]

Hi Uri,

In windows i have two users admin and dhanraj. I denied the permissions for
user dhanraj and logged in as dhanraj and tried to rename acl.csv file, it
is not allowing to rename.

Windows share cacls output

Parent folder:
C:\Users\admin>cacls c:/ /S
c:\
"D:PAI(A;OICIIO;FA;;;CO)(A;OICINP;FA;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5
-21-3711088774-2030633858-2390184040-1001)(A;OICI;FA;;;BA)(A;OICI;FA;;;BU)"

FIle:
C:\Users\admin>cacls c:/acl.csv /S
c:\acl.csv
"D:AI(D;;FA;;;S-1-5-21-3711088774-2030633858-2390184040-1001)(A;;0x12
00a9;;;WD)(A;ID;FA;;;BA)(A;ID;FA;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;S-1-5-21-37110887
74-2030633858-2390184040-1001)(A;ID;FA;;;BU)"

My Linux Machine has users a and b. I denied the permissions for user b and
logged in as b and tried to rename fg.png file, i am able to rename.

Linux share mounted in my windows pc as Z:\

Parent Folder
C:\Users\admin>cacls z:/ /S
z:\
"D:P(A;;FA;;;S-1-5-21-1016863977-3881512238-1033046097-501)(A;;FA;;;S-1-22-2
-100)(A;;FA;;;WD)"

File:
C:\Users\admin>cacls z:/fg.png /S
z:\fg.png
"D:P(A;;0x1f019f;;;S-1-5-21-1016863977-3881512238-1033046097-501)(A;;;
;;S-1-5-21-1016863977-3881512238-1033046097-3002)(A;;0x1f019f;;;S-1-22-2-100)(A;
;0x1f019f;;;S-1-22-2-100)(A;;0x1f019f;;;S-1-5-21-1016863977-3881512238-103304609
7-501)(A;;0x1f019f;;;WD)"

Regards,
Vigneshdhanraj G



On Wed, Sep 28, 2016 at 1:35 PM, Uri Simchoni <uri at samba.org> wrote:

> On 09/28/2016 10:27 AM, VigneshDhanraj G wrote:
> > Hi Jeremy,
> >
> > Let me explain my doubt clearly.
> >
> > I am using samba 4.3 version where as you said “acl” is enabled by
> default.
> > I have few shares in my Linux machine.
> >
> > Now I try to access my Linux share from a windows 7 machine via CIFS.
> > I could get the listing of all the files in my share.
> >
> > I tried to change the permission of a particular file for a particular
> user.
> > Actually I denied read-write permission for that file for the user.
> >
> > But when I try to login with that user, I could not read/write to the
> file.
> > But it allows me to rename the file alone.
> >
> > In my previous discussions in this forum, I heard this permission concept
> > goes by Windows behavior.
> >
> > So I did a try of doing the same settings which I have described above to
> > one of my Windows share.
> > Now when I tried to login with the user and when I tried to access the
> file
> > from another Windows machine,
> > in addition to read-write, rename is also denied giving a error pop-up
> > saying “You don’t have permission to
> > perform this action”.
> >
> > If samba acl behavior goes by that of windows then how come samba allows
> > rename whereas windows does not.
> >
> > Hope you understand and please let me know if any further info is needed.
> >
> > Thanks
> > Vigneshdhanraj G
> >
> > On Tue, Sep 27, 2016 at 10:04 PM, Jeremy Allison <jra at samba.org> wrote:
> >
> >> On Tue, Sep 27, 2016 at 07:32:03PM +0530, VigneshDhanraj G wrote:
> >>> Jeremy,
> >>>
> >>> Windows is not allowing to rename if write permission is denied.
> >>> Please let me know why samba allows renaming when acl is enabled.
> >>
> >> You are not being at all clear I'm afraid. Please explain
> >> exactly the difference in behavior between Windows and Samba.
> >>
> >> "if write permission is denied" tells us nothing. Write
> >> permission is denied on what object ?
> >>
> >> "when acl is enabled" - ACLs are always enabled. What
> >> does this mean ?
> >>
> >> You see my problem ?
> >>
> Please provide the output of the following commands, run from your
> client command window:
>
> cacls <parent folder> /S
> cacls <parent folder>\<file that can be renamed> /S
>
> Then repeat it on the Windows share.
>
> So we're looking for 4 commands and their output. Hopefully that will
> provide an explanation, although we're not showing the process token
> which is another piece of the puzzle.
>
> Thanks,
> Uri.
>