[Samba] still ACL bug in 3.0.14a

Jeremy Allison jra at samba.org
Sun Apr 17 07:53:52 GMT 2005 

On Sat, Apr 16, 2005 at 11:42:33PM -0400, Stewart, Eric wrote:
> 	If someone has this working on Red Hat Enterprise Linux 3, I'd
> like a few pointers.
> 	I've changed "defaults" in /etc/fstab for the affected partition
> to "defaults,acl,user_xattr" and rebooted the box.  I've gone so far as
> to make sure all processes were killed, remove the samba sbin, bin, lib,
> and include directories, checked to make sure ACL support is being
> compiled in (ldd even shows libacl.so.1 linked).  I've even gotten
> desperate and and added "delete readonly = yes" and even "nt acl support
> = no" (in all sorts of combinations) to the junk share in the config
> below, and yet I still get access denied when attempting to delete a
> file.  ls -laF shows:
> 
> : ls -laF /usr/local/samba/junk
> total 5608
> drwxrwxr-x    2 bb       mysql        4096 Apr 16 00:44 ./
> drwxr-xr-x   11 root     root         4096 Apr 16 23:20 ../
> -rwxrw-r--    1 LIB+eric mysql       46080 Mar 31  2000
> annualreport99.doc*
> -rwxrw-r--    1 LIB+eric mysql     5668947 Mar 25 09:11
> HPLJ4250-070323-ILLiad.pdf*
> 
> 	With the "force group =" set, anyone who qualifies as a valid
> user should be able to delete the file.  But I can't.

Ok, I think I see the bug you're encountering.... I don't think force group
was considered in the posix_acl code - that changes current_user.gid
without changing it in the group array in current_user.

Can you try this patch please ?

Jeremy.
-------------- next part --------------
Index: smbd/posix_acls.c
===================================================================
--- smbd/posix_acls.c	(revision 6363)
+++ smbd/posix_acls.c	(working copy)
@@ -3867,6 +3867,23 @@
 				if (pgid == NULL) {
 					goto check_stat;
 				}
+
+				/* Does it match the current effective group ? */
+				if (current_user.gid == *pgid) {
+					ret = have_write;
+					DEBUG(10,("check_posix_acl_group_write: file %s \
+match on group %u -> can write.\n", fname, (unsigned int)*pgid ));
+
+					/* If we don't have write permission this entry doesn't
+					 * prevent the subsequent enumeration of the supplementary
+					 * groups.
+					 */
+					if (have_write) {
+						goto done;
+					}
+				}
+
+				/* Continue with the supplementary groups. */
 				for (i = 0; i < current_user.ngroups; i++) {
 					if (current_user.groups[i] == *pgid) {
 						ret = have_write;
@@ -3898,6 +3915,15 @@
 
 	/* Do we match on the owning group entry ? */
 
+	/* First, does it match the current effective group ? */
+	if (current_user.gid == psbuf->st_gid) {
+		ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0;
+		DEBUG(10,("check_posix_acl_group_write: file %s \
+match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write"));
+		goto done;
+	}
+
+	/* If not look at the supplementary groups. */
 	for (i = 0; i < current_user.ngroups; i++) {
 		if (current_user.groups[i] == psbuf->st_gid) {
 			ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0;

More information about the samba mailing list