[PATCH] vfs_acl_xattr|tdb: set create mask to 0777 if ignore_system_acls is set

Uri Simchoni uri at samba.org
Mon Feb 6 18:30:19 UTC 2017

On 02/06/2017 03:04 PM, Ralph Böhme wrote:
> On Mon, Feb 06, 2017 at 02:47:08PM +0200, Uri Simchoni wrote:
>> On 02/06/2017 02:19 PM, Ralph Böhme wrote:
>>> Hi!
>>> Attached is a patch for bug
>>> https://bugzilla.samba.org/show_bug.cgi?id=12562
>>> The fix for bug #12181 included a change that should ensure filesystem
>>> permissions are out of the way when using VFS modules acl_xattr or acl_tdb with
>>> "acl_xattr:ignore system acls = yes".
>>> At runtime, when the module is loaded, we set "create mask = 0666" which doesn't
>>> contain executable rights files. This should really by "create mask = 0777"
>>> instead.
>>> Please review & push if happy. Thanks!
>>> Cheerio!
>>> -slow
>> Well, what if I want files created to be 0666?
> huh, why would you? You've explicitly requested
>   acl_xattr:ignore system acls = yes
> whose behaviour is
>   When set to yes, a best effort mapping from/to the POSIX ACL layer will not be
>   done by this module.
> I know it says "POSIX ACL", but you can't seperate the POSIX mode from the ACL
> from a functional perspective. We must ensure filesytem permissions are
> completely open and permission checking is based entirely on the ACL blob from
> the xattr, not on some unpredictable mix of blob and fs.
> Cheerio!
> -slow

I just think 0777 increases the attack surface if the admin doesn't wish
files stored on that share to be locally executed, so there has to be a
way to avoid x bit.

My thinking is that if a file is world-readable and world-writable,
there are no restrictions imposed by POSIX.


More information about the samba-technical mailing list