[Samba] ACLs and DACLs not propagated to owner of file/directory

Crosby, Scott F. scrosby at belcan.com
Fri Sep 20 14:50:01 GMT 2002 

Hello,
	I've submitted the following to the bug tracking system, but thought
I might find some other answers here.
	It appears that there is a bug in the ACL code that prevents a ACL
or DACL from being applied to directory if the user associated with that ACL
is the owner of the file.
	Consider the following directory structure

top->|
     |->a|
     |->1
     |   |->2
     |
     |->b|
         |->3
         |->4

	All directories are owned by root/sys and contain read/write/execute
ACLs for tom, dick, harry, and bob.  A user listed in admin users for the
share chooses adds an ACL for tim (rwx) from win2k to the top directory.
All is well at this point.  ACLs and DACLs for each user are applied to each
folder.
	Now tom (who does not have admin rights to the share) creates a
directory alpha
under top->a->1 .  He is the owner, and the directory contains all of the
ACLs from 1, including the default ACL default:user:tom:rwx.  The acl
user:tom:rwx also exists, as does user::rwx, the representation of the unix
permissions.  So far so good.
	Now the same admin user with root privs accesses the share from
win2k and recursively adds an acl for jane to the top level, giving her
read/write/execute.  This is when things start to fall apart.  The new
directory alpha LOSES the ACL user:tom:rwx and the default ACL
default:user:tom:rwx.  If any user other than tom creates a file or
directory underneath alpha, tom will
lose access to those files.  The effect is most painful when tom creates an
excel spreadsheet or other document under alpha, then jane edits and saves
it.  Since the Office products delete a file before saving, the ownership of
the file immediately changes to jane and tom loses access to his own file.
	I believe the bug is in sys_acl_set_file() in lib/sysacls.c.  Or at
least, a fix could be applied in this call by creating a default ACL and a
user access ACL for the owner (and group) of the file.
	I've tested this with samba 2.2.3a and samba 2.2.5 on linux kernels
2.4.17 with linux acl/ea patches from the 0.7 series as well as 2.4.19 with
xattr+acl patch 0.8.50.  THe problem also occurs on HP-UX 11.0 using JFS 3.3
(vxfs 4 filesystem layout) and samba 2.2.5.

Additional information :
	1.  When acls are applied directly using setfacl on the linux or
hp-ux server, they are applied correctly.  This does not look like a problem
with ACLs on either system.
	2.  Files created by windows clients start with the correct ACLs.

More information about the samba mailing list