[PATCH] cifs: fix set of group SID via NTSD xattrs
Amir Goldstein
amir73il at gmail.com
Mon Jan 3 18:25:01 UTC 2022
On Mon, Jan 3, 2022 at 6:56 PM Protopopov, Boris <pboris at amazon.com> wrote:
>
> Hello, Amir,
>
> It has been a while, but I recall that from my reading of the MS docs, the notion of "owner" was supposed to include both user and the primary group SIDs, which is why the comments in the code did not call out groups explicitly.
> I also recall that during development, I tested with CIFS_ACL_GROUP flag against Windows 2012 and 2019 servers, and did not see a difference. I did not test against Samba, which clearly, showed an issue discussed below.
Interesting.
I admit that the language of the docs is ambiguous:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/ee9614c4-be54-4a3c-98f1-769a7032a0e4
"...flags indicating what security attributes MUST be applied".
So attributes whose flag is not set (e.g. group SID) MAY be applied or
MUST NOT be applied?
Perhaps samba would want to be as relaxed as Windows about the ACL_GROUP flag.
In any case, I don't see a reason not to set the flag when the group
SID information
is present.
Thanks,
Amir.
>
> Boris.
>
> On 1/3/22, 9:51 AM, "Amir Goldstein" <amir73il at gmail.com> wrote:
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
>
>
>
> 'setcifsacl -g <SID>' silently fails to set the group SID on server.
>
> Actually, the bug existed since commit 438471b67963 ("CIFS: Add support
> for setting owner info, dos attributes, and create time"), but this fix
> will not apply cleanly to kernel versions <= v5.10.
>
> Fixes: a9352ee926eb ("SMB3: Add support for getting and setting SACLs")
> Signed-off-by: Amir Goldstein <amir73il at gmail.com>
> ---
>
> Boris,
>
> I am a little confused from the comments in the code an emails.
> In this thread [1] you wrote that you tested "setting/getting the owner,
> DACL, and SACL...".
>
> Does it mean that you did not test setting group SID?
>
> It is also confusing that comments in the code says /* owner plus DACL */
> and /* owner/DACL/SACL */.
> Does it mean that setting group SID is not supposed to be supported?
> Or was this just an oversight?
>
> Anyway, with this patch, setcifsacl -g <SID> works as expected,
> at least when the server is samba.
>
> Thanks,
> Amir.
>
>
> [1] https://lore.kernel.org/linux-cifs/CAHhKpQ7PwgDysS3nUAA0ALLdMZqnzG6q6wL1tmn3aqOPwZbyyg@mail.gmail.com/
>
> fs/cifs/xattr.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c
> index 7d8b72d67c80..9d486fbbfbbd 100644
> --- a/fs/cifs/xattr.c
> +++ b/fs/cifs/xattr.c
> @@ -175,11 +175,13 @@ static int cifs_xattr_set(const struct xattr_handler *handler,
> switch (handler->flags) {
> case XATTR_CIFS_NTSD_FULL:
> aclflags = (CIFS_ACL_OWNER |
> + CIFS_ACL_GROUP |
> CIFS_ACL_DACL |
> CIFS_ACL_SACL);
> break;
> case XATTR_CIFS_NTSD:
> aclflags = (CIFS_ACL_OWNER |
> + CIFS_ACL_GROUP |
> CIFS_ACL_DACL);
> break;
> case XATTR_CIFS_ACL:
> --
> 2.25.1
>
>
More information about the samba-technical
mailing list