[Samba] POSIX ACL to NT ACL bugs in get_nt_acl()
szh at 7ka.mipt.ru
Thu Mar 6 22:18:37 GMT 2003
Hello , the described bellow happens both in samba 2.2.7a and 3.0-alfa22.
As it is easy to check smbd , when asked about ACL entry of a file
never sends to the client OS DENY Access Control Entries , only ALLOW.
so for example for a XFS file with acl:
# owner: a
Win2K security tab shows for user "a":
Read & exec = <nothing here>
Read = Allowed
Write = <nothing here>
But in fact, POSIX ACL will allow user "a" to read from the file
and deny write or execute the file , as posix acl will not consult any
other ACL entries, after founding appropriate user:: entry.
Not lets see , what Win2K user will expect, when watching this shown ACL.
As NT ACL logic suppose, in case <nothing here>
father ACL entries will be consulted, so in this case NT user suppose
that he has "rwx" rights on the file due to other::rwx rule ,
shown in Win2K security tab as Everybody: Full Access=Allowed
but when tried to write - receive Permission Denied.
So this situation is plain wrong
sent to Win2K flags must have been instead :
Read & exec = Deny
Read = Allowed
Write = Deny
So that is a samba bug, as samba must have send DENY for "write" and
"execute" and ALLOW for "read" for this user's file ("user::r--") ,
but now it just sends ALLOW for "read".
Take ownership flag is curerntly always set ALLOWED for EVERY ACE
but actually only root user can take ownership of the file under Unix,
so this is plain wrong.
As far as I see, this bug was introduced because of the first bug AND
NT4 denying to show empty ACL.
In POSIX every user which can see a file , can also always
1) Read ACL for the file
2) Read attributes for the file.
so SMBD should always show that these things are allowed , but it failes to
Of course due to the FIRST BUG this is not very annoying, as there are no
entries showed, that this is forbidden.
In the next e-mail I will send patches fixing all 3 bugs in samba 2.2.7a &
3.0 alfa 22
More information about the samba