vfs_fruit bug in ACL get/set.

Ralph Böhme slow at samba.org
Fri Mar 2 21:05:37 UTC 2018

Hi Jeremy,

On Fri, Mar 02, 2018 at 09:14:59AM -0800, Jeremy Allison wrote:
> I just created:
> https://bugzilla.samba.org/show_bug.cgi?id=13319
> ------------------------------------------------
> In fruit_fget_nt_acl() the 3 extra ACE entries
> corresponding to mode/uid/gid are always added
> to the returned ACL as virtual ACE entries that
> are not expected to be stored in the file ACL on disk.
> In fruit_fset_nt_acl() the client-sent ACL is applied
> to the file, then the mode entry (if sent) is used to
> do the CHMOD - but the client-sent ACL is applied
> without removing any virtual ACE entries.
> If a naive client just round-trips get/set/get/set,
> on every set the 'virtual' ACE entries will be stored
> in the xattr.
> I think the correct action on fruit_fset_nt_acl()
> is to check for - then *remove* any virtual ACE
> entries sent by the client before passing down
> to the underlying SET_NT_ACL call.

hm, I guess the idea was that the NFS ACE *could* be of interest to lower layers
as well, so I chose not to filter them out.

If we're starting to use NFS ACEs more broadly (by coincidence just today metze
mentioned that he's thinkin about using them in s3/auth iirc), maybe we should
move the functionality to a lower layer and out of fruit.


Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG Key Fingerprint:           FAE2 C608 8A24 2520 51C5
                               59E4 AA1E 9B71 2639 9E46

More information about the samba-technical mailing list