[Samba] Permissions incorrectly ordered on Windows after disabling inheritance

Jeremy Allison jra at samba.org
Thu Aug 30 17:52:08 MDT 2012 

On Thu, Aug 30, 2012 at 05:09:10PM -0600, Walkes, Dan wrote:
> On Wed, Aug 29, 2012 at 21:45:24, Jeremy Allison wrote:
> > On Fri, Aug 24, 2012 at 11:08:53AM -0600, Walkes, Dan wrote:
> > > Hi everyone,
> > >
> > > I've noticed a problem with Debian wheezy + samba 3.6.6 configured 
> > > with acl_xattr in my configuration.  The following test sequence 
> > > causes Windows Explorer to report incorrectly ordered permission
> entries:
> > > 1)	Map a share as with "admin" user credentials  to a drive letter
> > > on a Windows client
> > > 2)	Create a folder at the root of the share "rootfolder"
> > > 3)	Create a subfolder "subfolder1" under "rootfolder"
> > > 4)	Un-check "Include inheritable permissions from this object's
> > > parent" in the windows security settings dialog for Windows Explorer
> 
> > > on the root folder
> > > 5)	Create a subfolder "subfolder2" under "subfolder1"
> > > 6)	Right-click with Windows Explorer and attempt to edit the
> > > permissions of "subfolder2".  Windows Explorer pops up a message 
> > > stating "The permissions on subfolder2 are incorrectly ordered, 
> > > which may cause some entries to be ineffective."
> > 
> > FYI, the complete and correct fix for this ifor 3.6.next s now
> attached to bug :
> > 
> > https://bugzilla.samba.org/show_bug.cgi?id=9124
> > 
> > as a patch. Please test (it fixes the problem here). Thanks for 
> > reporting this, the same code will go into master as soon as I've 
> > finished wrestling with autobuild :-).
> > 
> 
> Thanks Jeremy.  I've tested today.  I can confirm it fixes the incorrect
> ordering issue and sequence 1-6 works for me.  I can also confirm that
> after removing inheritance on a root folder from windows the I flag is
> set for all permissions on subfolders as expected.  I did notice however
> that in my case if I never modify permissions or change permissions from
> Windows Explorer the I flag is still not set on inherited permissions,
> at least with my configuration. 

Actually this is what you'd expect with a security descriptor
type of : CONTROL:0x8004

(SEC_DESC_SELF_RELATIVE          = 0x8000|
 SEC_DESC_DACL_PRESENT           = 0x0004).

On Windows you'll probably have :

CONTROL:0x8404

(SEC_DESC_SELF_RELATIVE          = 0x8000|
 SEC_DESC_DACL_AUTO_INHERITED    = 0x0400|
 SEC_DESC_DACL_PRESENT           = 0x0004).

which explains the difference. If you set a security
descriptor on rootfolder/ from the Windows client and
end up with CONTROL:0x8404, then whenever you create
subfolders/files below that you'll see the "INHERITED"
bit (that's what the patch solves).

Jeremy.

More information about the samba mailing list