[Samba] ACLs under Samba 3.3.0

Ryan B. Lynch ryan.lynch at id-edd.com
Fri Jan 30 22:08:14 GMT 2009 

Jeremy Allison wrote:
> On Fri, Jan 30, 2009 at 01:25:02PM -0800, Jeremy Allison wrote:
>  > > I would describe the problem *slightly* differently from Miguel.  I do 
>  > > not think that ACLs are the real problem, because the bug behaviour 
>  > > exists regardless of whether you're using filesystem ACLs or not.
>  > >
>  > > The problem seems to be that the configuration option 'acl map full 
>  > > control' isn't working anymore under 3.3.  This option took me a long 
>  > > time to understand, because it refers to Windows ACLs, not filesystem 
>  > > ACLs.  If the option is set (which is the default under both 3.2.7 and 
>  > > 3.3.0), a user with 'rwx' UNIX permissions should get 'Full Control' 
>  > > rights under Windows.  This is regardless of whether the 'rwx' 
>  > > permissions come from the base UNIX permissions or POSIX ACLs.
>  > >
>  > > 3.2.7 works as the man page describes, but 3.3.0 does not.  Under 
> 3.3.0, 
>  > > a user with 'rwx' will have every Windows right except for 'Delete' 
> and 
>  > > 'Full Control'.  Even the file's owner will lack those two rights. 
>  > > Nonetheless, the owner will be able to delete or rename the file, but 
>  > > not any other users, even if they apparently have identical rights.
>  > >
>  > > Also, this behaviour seems to persist whether you explicitly turn 'acl 
>  > > map full control' on or off.  We also tried a few dozen 
> combinations of 
>  > > other permission, ownership, and ACL-related options in 'smb.conf', 
> and 
>  > > none of them worked.
>  >
>  > Ok, here are the two commits that affected this issue to make it differ
>  > from 3.2.x.
>  >
>  > commit 51b5364c2afb3a18df4bec2bc1624760ccc01676
>  > Author: Volker Lendecke <vl at samba.org>
>  > Date:   Tue Jun 17 16:22:43 2008 +0200
>  >
>  >     RWX on a file does not imply DELETE access
>  >     Without this the changed checks in can_delete_file_in_directory 
> give DELETE
>  >     access where there is none. So we can end up granting the 
> ntcreate&x preparing
>  >     the unlink where we should not, which leads to a 
> NT_STATUS_ACCESS_DENIED at
>  >     close time later, which in turn does *not* give the access denied 
> error message
>  >     in the Windows GUI.
>  >
>  >     can_delete_file_in_directory will grant access now by looking at 
> the directory
>  >     permissions.
>  >
>  > commit daa9b056645a45edfb3a70e3536011ebe5678970
>  > Author: Volker Lendecke <vl at samba.org>
>  > Date:   Thu Jun 19 14:53:46 2008 +0200
>  >
>  >     Fix checks in can_delete_file_in_directory()
>  >     With at least NFSv4 ACLs around the write permission for the 
> owner is a bogus
>  >     check if we can delete a file in a directory. Like in Windows, 
> there are two
>  >     ways which can grant us such: First, the DELETE permission on the 
> file itself,
>  >     or if that does not help, the DELETE_CHILD permission on the 
> directory. It
>  >     might be a bit more code that runs, but essentially we should end 
> up with the
>  >     same set of syscalls in the non-acl case.
>  >
>  > This looks like a compatibility change to make us work better
>  > with NFSv4 underlying ACLs, not POSIX ones.
>  >
>  > I'll do some more digging.
> 
> Volker's changes are correct, in that delete access in POSIX does not
> belong to a file itself, but to the containing directory. So really
> we should remove the DELETE_ACCESS bit from both the file and the
> directory ACL returned. This unfortunately breaks the fiction of
> a rwx permission mapping directly into Windows FULL_CONTROL. What
> your users can do with the file over Samba hasn't actually changed,
> is they have write access to the directory they can still delete
> the file, but the ACLs "look funny".


I tested this about four weeks ago, comparing operations from Windows 
clients against our Samba 3.2.7 server and another machine running a 
3.3.0 pre-release checkout.  The ACL rights assignments did appear to be 
different, but I believe that the actual results were different, too.

That is to day, a Windows user could delete, rename, or take ownership 
of a file/directory on which that user had UNIX 'rwx' rights, but only 
on 3.2.7.  This didn't work on 3.3.0.

But I want to be careful before I say I'm sure, because you (Jeremy) 
certainly know this subject better than me.  I'm going to test those 
same operations over the weekend, and I'll confirm whether it's just a 
different appearance or whether it affects the actual operations.  I 
will also turn the debug logging up to the max, and I'll attach that to 
bug #6005 with an update.


> I'll think some more about how we can restore the fiction for
> the users without having to use the experimental native ACL
> store.

For our users, it's a requirement--the business process requires one 
user to be able to rename, delete, etc. directory trees and files that 
other users create.

-Ryan

-- 

Ryan B. Lynch
Engineer
Innovative Discovery, LLC
http://www.id-edd.com/
347.633.0512
ryan.lynch at id-edd.com

More information about the samba mailing list