[Samba] still ACL bug in 3.0.14a
Jeremy Allison
jra at samba.org
Sun Apr 17 07:53:52 GMT 2005
On Sat, Apr 16, 2005 at 11:42:33PM -0400, Stewart, Eric wrote:
> If someone has this working on Red Hat Enterprise Linux 3, I'd
> like a few pointers.
> I've changed "defaults" in /etc/fstab for the affected partition
> to "defaults,acl,user_xattr" and rebooted the box. I've gone so far as
> to make sure all processes were killed, remove the samba sbin, bin, lib,
> and include directories, checked to make sure ACL support is being
> compiled in (ldd even shows libacl.so.1 linked). I've even gotten
> desperate and and added "delete readonly = yes" and even "nt acl support
> = no" (in all sorts of combinations) to the junk share in the config
> below, and yet I still get access denied when attempting to delete a
> file. ls -laF shows:
>
> : ls -laF /usr/local/samba/junk
> total 5608
> drwxrwxr-x 2 bb mysql 4096 Apr 16 00:44 ./
> drwxr-xr-x 11 root root 4096 Apr 16 23:20 ../
> -rwxrw-r-- 1 LIB+eric mysql 46080 Mar 31 2000
> annualreport99.doc*
> -rwxrw-r-- 1 LIB+eric mysql 5668947 Mar 25 09:11
> HPLJ4250-070323-ILLiad.pdf*
>
> With the "force group =" set, anyone who qualifies as a valid
> user should be able to delete the file. But I can't.
Ok, I think I see the bug you're encountering.... I don't think force group
was considered in the posix_acl code - that changes current_user.gid
without changing it in the group array in current_user.
Can you try this patch please ?
Jeremy.
-------------- next part --------------
Index: smbd/posix_acls.c
===================================================================
--- smbd/posix_acls.c (revision 6363)
+++ smbd/posix_acls.c (working copy)
@@ -3867,6 +3867,23 @@
if (pgid == NULL) {
goto check_stat;
}
+
+ /* Does it match the current effective group ? */
+ if (current_user.gid == *pgid) {
+ ret = have_write;
+ DEBUG(10,("check_posix_acl_group_write: file %s \
+match on group %u -> can write.\n", fname, (unsigned int)*pgid ));
+
+ /* If we don't have write permission this entry doesn't
+ * prevent the subsequent enumeration of the supplementary
+ * groups.
+ */
+ if (have_write) {
+ goto done;
+ }
+ }
+
+ /* Continue with the supplementary groups. */
for (i = 0; i < current_user.ngroups; i++) {
if (current_user.groups[i] == *pgid) {
ret = have_write;
@@ -3898,6 +3915,15 @@
/* Do we match on the owning group entry ? */
+ /* First, does it match the current effective group ? */
+ if (current_user.gid == psbuf->st_gid) {
+ ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0;
+ DEBUG(10,("check_posix_acl_group_write: file %s \
+match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write"));
+ goto done;
+ }
+
+ /* If not look at the supplementary groups. */
for (i = 0; i < current_user.ngroups; i++) {
if (current_user.groups[i] == psbuf->st_gid) {
ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0;
More information about the samba
mailing list