[Samba] POSIX to NT ACL bug

Sergey Zhitomirsky szh at dgap-gw.mipt.ru
Mon Mar 3 22:09:55 GMT 2003

recently I set up XFS share under samba , and played from Win2K 
with ACL entries of shared files, 
and noticed that
 Win2K never  DENY  ACL entries , 
 so for example for a XFS file with acl: 

 # owner: a
  Win2K security tab  shows for user "a": 
   Read & exec = <nothing here>
   Read        = Allowed
   Write       = <nothing here>

 But in fact, POSIX ACL will allow user "a" to read from the file
 and deny write or execute the file , as posix acl will not consult any
 other ACL entries, after founding  appropriate  user:  entry. 
  So, shown by Win2K  flags are  wrong, and must be instead : 
   Read & exec = Deny
   Read        = Allowed
   Write       = Deny

  as NT ACL logic suppose, as far as know(?), that in case <nothing here>
  father ACL entries will be consulted, so in this case  NT user suppose
  that he has "rwx" rights on the file  due to  other::rwx rule 
  (-> Everybody, Full Access=Allowed)

  but when tried to write - receive Permission Denied. 

  So that is a samba bug, as samba must have send DENY for "write" and
  "execute" and ALLOW for "read"   for this user's file ("user::r--")  ,
  but now it just sends ALLOW for "read".

 I have samba-2.2.7a, 
 ./configure --with-acl-support --with-ssl --with-smbmount --disable-cups 
          --with-smbwrapper --with-vfs --with-libsmbclient --disable-swat 


More information about the samba mailing list