Looks like we do not have self-tests for smbcacls

Noel Power nopower at suse.com
Thu Aug 3 16:07:49 UTC 2017 

On 03/08/17 14:09, Noel Power wrote:
>> 3. Assuming this *is* a Windows Explorer look-alike, Windows >> Explorer pops up a message if it fails to set the ACL of a file, >>
allowing the user to continue or abort. IMHO that would be useful >>
here, because changing a large tree without the option to continue >>
would be difficult. The program can output messages on files which >>
failed. > see above, smbcacls like icacls is a power tool, you can shoot
> yourself in the foot royally, I can't recall whether an icacls >
failure is reported and it continues on or not. My gut feeling is we >
should do as icacls does (where possible) I'll look into what it > does
What appears to happen is that although inheritable aces are propagated
to all child containers and files icalcs only reports that it is
processing a single file. Any access errors (or failure to apply
inhertitable aces) appear to be squashed and icacls.exe continues best
effort. smbcacls doesn't behave like this, I believe it should (good
call to make me check this behavour)

Here is a sample run from windows.

icacls is operating on the top level 'oi_dir' directory, however there
is a lower level directory 'oi_dir/other' that is inaccessible

  +-test_dir/
    +-oi_dir/ <= (not accessible)
    | +-file-1
    | +-pfile.txt
    | +-nested/
    |   +-file-2
    | +-other/

Note: icacls.exe /T switch effectively operates recursively

  c:\Temp>icacls oi_dir/ /grant Administrator:(OI)(CI)(R)
  processed file: oi_dir/
  Successfully processed 1 files; Failed processing 0 files

  c:\Temp>icacls oi_dir /T
  oi_dir TESTDOMAIN1\Administrator:(OI)(CI)(R)
         TESTDOMAIN1\Administrator:(I)(OI)(CI)(F)
         BUILTIN\Administrators:(I)(OI)(CI)(F)
         Everyone:(I)(OI)(CI)(F)

  oi_dir\file-1 TESTDOMAIN1\Administrator:(I)(R)
                TESTDOMAIN1\Administrator:(I)(F)
                BUILTIN\Administrators:(I)(F)
                Everyone:(I)(F)

  oi_dir\nested TESTDOMAIN1\Administrator:(I)(OI)(CI)(R)
                TESTDOMAIN1\Administrator:(I)(OI)(CI)(F)
                BUILTIN\Administrators:(I)(OI)(CI)(F)
                Everyone:(I)(OI)(CI)(F)

  oi_dir\other: Access is denied.
  Successfully processed 3 files; Failed processing 1 files

Note:: Failure above prevented icacls from displaying the ACL for
pfile.txt (but it was modified with the propagated ace(s))

  c:\Temp>icacls oi_dir/pfile.txt /T
  oi_dir/pfile.txt TESTDOMAIN1\Administrator:(I)(R)
                   TESTDOMAIN1\Administrator:(I)(F)
                   BUILTIN\Administrators:(I)(F)
                   Everyone:(I)(F)

  oi_dir\other\*: Access is denied.
  Successfully processed 1 files; Failed processing 1 files

  c:\Temp>icacls oi_dir/other
  oi_dir/other: Access is denied.
  Successfully processed 0 files; Failed processing 1 files

  c:\Temp>icacls oi_dir/other /grant  Administrator:(OI)(F)
  oi_dir/other: Access is denied.
  Successfully processed 0 files; Failed processing 1 files

More information about the samba-technical mailing list