[Samba] Issue with acl_xattr:ignore system acls in 4.5rc2

Michael Adam obnox at samba.org
Thu Aug 18 11:22:21 UTC 2016 

On 2016-08-18 at 12:31 +0200, Ralph Böhme via samba wrote:
> On Thu, Aug 18, 2016 at 12:21:37PM +0300, Uri Simchoni wrote:
> > On 08/18/2016 08:28 AM, Ralph Böhme wrote:
> > > Hi Eric,
> > > 
> > > On Wed, Aug 17, 2016 at 05:56:51PM -0600, Eric Eastman via samba wrote:
> > >> I was testing Samba 4.5rc2 with an existing smb.conf file that I have been
> > >> using since Samba 4.1.x and found that I cannot access data in the share on
> > >> Windows 2012 (my AD server), a Windows 2008 client or on a Ubuntu 16.04
> > >> client.  I built a new version of Samba 4.4.5 using the same procedure as I
> > >> did for building 4.5rc2 and the 4.4.5 Samba version worked with my smb.conf
> > >> file.  I then created a very basic smb.conf file and slowly built it up,
> > >> and by doing testing between 4.4.5 and 4.5rc2, I finally found the line
> > >> that caused the problem. Here is my cut down smb.conf file:
> > >>
> > >> [global]
> > >> security = ads
> > >> realm = ERIC.LOCAL
> > >> workgroup = ERIC
> > >> netbios name = C1-GW03-T5
> > >> idmap uid = 500-10000000
> > >> idmap gid = 500-10000000
> > >> winbind use default domain = Yes
> > >> winbind nested groups = Yes
> > >> map acl inherit = yes
> > >> vfs objects = acl_xattr streams_xattr
> > >> acl_xattr:ignore system acls = yes
> > >> load printers = no
> > >> printcap name = /dev/null
> > >>
> > >> [zzz]
> > >> path = /zzz
> > >> writeable = yes
> > >> browseable = yes
> > >>
> > >>
> > >> The line causing the problem with 4.5rc2 is:
> > >>   acl_xattr:ignore system acls = yes
> > > 
> > > this change was introduced in
> > > <https://bugzilla.samba.org/show_bug.cgi?id=12028>
> > > 
> > > Before explaining the gory details, one question: why are you setting
> > > this option?
> > > 
> > > With the patches from the bugreport the behaviour of vfs_acl_xattr
> > > changed when "acl_xattr:ignore system acls" is set to yes for the case
> > > a file or directory lacks the NT ACL xattr (eg when creating files and
> > > directories on the server).
> > > 
> > > Before the change, we would query the system POSIX permissions and map
> > > them to a NT ACL.
> > > 
> > > After the change we sythesize a default NT ACL with just
> > > 
> > >   ACL:$uid:ALLOWED/0x0/$mapped_mode
> > >   ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
> > > 
> > > As this severly impacts existing setups, we have three options to
> > > address this:
> > > 
> > > 1. Revert it,
> > > 2. Document it, or
> > > 3. Do it differently
> > > 
> > > 1. Revert it
> > > 
> > > Brings back the original problem: not behaving as a Windows server and
> > > in certain situations unexpectedly exposing system POSIX permissions
> > > as described in the above bug.
> > > 
> > > 2. Document it
> > > 
> > > One could argue that this works as designed, so just add a big note to
> > > the release notes so people are aware of this change. As everybody
> > > reads release notes, there'll be no surprise. :)
> > > 
> > > When acl_xattr:ignore system acls is set to yes, we now completely
> > > ignore the system POSIX permissions. Since bug 11806 we already ignore
> > > the the system POSIX permissions when setting an NT ACL, we now ignore
> > > them as well when querying them. So this can be seen as improvement
> > > because previously our behaviour was inconsistent.
> > > 
> > > In some sense "acl_xattr:ignore system acls = yes" works like a
> > > fictional option "acl_xattr:ignore system permissions = yes".
> > > 
> > > Any filesytem object without NT ACL xattr will get default permissions
> > > matching Windows:
> > > 
> > >   ACL:$uid:ALLOWED/0x0/$mapped_mode
> > >   ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
> > > 
> > > This affects directories created on the server, like in Eric'c case,
> > > or when an SMB client creates a file or directory where the parent
> > > directory has no inheritable ACEs, as described in bug 12028.
> > > 
> > > 3. Do it differently
> > > 
> > > Implement the fictional option from 2 "acl_xattr:ignore system
> > > permissions" and only ignore system POSIX permissions when querying
> > > permissions if this is set. Sing: one more option before you go, to
> > > the valley below.
> > > 
> > > *scratching head* Thoughts?
> > 
> > I think the current behavior is correct (also tested it against Windows
> > for comparison).
> 
> thanks for confirming.
> 
> > However, if it breaks things for users, we need a way out for them, and
> > the only way out that's guaranteed to work in all cases is a
> > compatibility switch - generate the "old" DACL as default, wrong or
> > surprising as it may be, to maintain backward compatibility. So that's
> > an additional "acl_xattr:legacy default acl = yes" param IMHO.
> 
> well, if we conclude we need a new option that
> 
> a) preserves existing behaviour, and
> 
> b) allows enabling full Windows compatibility by completely ignoring
>    system POSIX permissions,
> 
> then my suggestion would be
> 
> o restore the previous behaviour of "acl_xattr:ignore system acls =
>   yes", in order not to break exisiting setups, and
> 
> o add a new option that would tell us to completely ignore system
>   POSIX permissions when querying and setting, defaulting to off:
> 
>   acl_xattr:ignore system permissions = yes | no (default: no)
> 
>   "acl_xattr:ignore system permissions = yes" implicitly sets
>   "acl_xattr:ignore system acls = yes"
> 
> The name "ignore system permissions" also better reflects the fact
> that this option is not only about ACLs, but about system permissions
> including POSIX mode.
> 
> We should then mark "acl_xattr:ignore system acls" as legacy and
> explain the broken behaviour (system permisions ignored when setting,
> but sometimes (when the filesystem object lacks an NT ACL xattr) still
> used when querying).
> 
> *still scratching head* :) Thoughts?

That sounds reasonable to me.
It's essentially the strict and non-strict modes
that I mentioned, just better.

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20160818/1149f629/signature.sig>

More information about the samba mailing list