[Samba] POSIX to NT ACL bug
Sergey Zhitomirsky
szh at dgap-gw.mipt.ru
Mon Mar 3 22:09:55 GMT 2003
Hello
recently I set up XFS share under samba , and played from Win2K
with ACL entries of shared files,
and noticed that
Win2K never DENY ACL entries ,
so for example for a XFS file with acl:
# owner: a
user::r--
group::rwx
other::rwx
Win2K security tab shows for user "a":
Read & exec = <nothing here>
Read = Allowed
Write = <nothing here>
But in fact, POSIX ACL will allow user "a" to read from the file
and deny write or execute the file , as posix acl will not consult any
other ACL entries, after founding appropriate user: entry.
So, shown by Win2K flags are wrong, and must be instead :
Read & exec = Deny
Read = Allowed
Write = Deny
as NT ACL logic suppose, as far as know(?), that in case <nothing here>
father ACL entries will be consulted, so in this case NT user suppose
that he has "rwx" rights on the file due to other::rwx rule
(-> Everybody, Full Access=Allowed)
but when tried to write - receive Permission Denied.
So that is a samba bug, as samba must have send DENY for "write" and
"execute" and ALLOW for "read" for this user's file ("user::r--") ,
but now it just sends ALLOW for "read".
I have samba-2.2.7a,
./configure --with-acl-support --with-ssl --with-smbmount --disable-cups
--with-smbwrapper --with-vfs --with-libsmbclient --disable-swat
Sergey.
More information about the samba
mailing list