[Samba] Bug with Samba ACL support or did I screw up somewhere?

Arcadio Sincero asince1 at gl.umbc.edu
Tue Jul 2 08:01:02 GMT 2002 

Hello list,

I am using Samba 2.2.5 configured as a Win2k domain member with a Win2k
Adv Server box acting as Domain Controller.  Samba is running on a Linux
2.4.18 box with the extended attributes and ACL support patches applied.
I am using the ext3 filesystem on the filesystems being shared via Samba
to the Windows 2000/XP boxen on the network.  And I do have the winbindd
daemon running and it appears to properly map domain SIDs to UNIX
uids/gids.  However, there seems to be an issue with the ACL support in
Samba (or maybe I just screwed up the configuration somewhere).

I have the following in the [global] section of the smb.conf file:

	create mode	= 0600
	map hidden	= no
	map system	= no
	map archive	= no

When I create file on a file share from a WinXP Pro box (Right Click->
New->Text Document for example), the above settings create the file with
the following permissions:

[~]: getfacl New\ Text\ Document.txt
# file: New Text Document.txt
# owner: asincero
# group: Domain Users
user::rw-
group::---
other::---

Thats to be expected.  Trying to set the Hidden and Archive attributes
from the file's property sheet from Explorer on the WinXP box has no
effect, and thats also expected behavior.  However, when I add another
user to this file's ACL, things start to get screwy when I attempt to set
the Read-only, Hidden and/or Archive attributes from the file's property
sheet.

I'll add the domain user "aps" to the file's ACL from a WinXP box and give
him read and execute permssions (the default whenever you add a new user
to a file's ACL from the 2k/XP security tab of a file's property sheet):

[~]: getfacl New\ Text\ Document.txt
# file: New Text Document.txt
# owner: asincero
# group: Domain Users
user::rw-
user:aps:r-x
group::---
mask::rwx
other::---

Now, I'll click the Hidden attribute checkbox from the file's property
sheet from Explorer on the WinXP box.  The following is the result:

[~]: getfacl New\ Text\ Document.txt
# file: New Text Document.txt
# owner: asincero
# group: Domain Users
user::rw-
user:aps:r-x
group::rwx
mask::rwx
other::---

Notice that group members now have full access to do whatever they like to
the file!!  The same thing happens when I select the Archive attribute
instead of the Hidden attribute.  When I select the Read-only attribute,
the file permissions become:

[~]: getfacl New\ Text\ Document.txt
# file: New Text Document.txt
# owner: asincero
# group: Domain Users
user::r--
user:aps:r-x
group::r-x
mask::rwx
other::---

The group permissions magically get the read and executable permissions
:-/.

Anybody have any idea what's going here?  Is it a bug or did I screw up
somewhere?  I suppose the quick fix to this is to set the security mask to
something like "0700".  But this means users won't be able to manipulate
the group permissions (and with a mask like 0700, the other permissions as
well) from the Security Tab from the 2k/XP boxen :-/.

Thanks in advance for any help with this.

- Arcadio

More information about the samba mailing list