[Samba] Issue with acl_xattr:ignore system acls in 4.5rc2

Ralph Böhme slow at samba.org
Wed Aug 24 14:06:42 UTC 2016 

Hi Eric,

On Thu, Aug 18, 2016 at 07:57:36AM -0600, Eric Eastman wrote:
> >> The line causing the problem with 4.5rc2 is:
> >>   acl_xattr:ignore system acls = yes
> >
> > this change was introduced in
> > <https://bugzilla.samba.org/show_bug.cgi?id=12028>
> >
> > Before explaining the gory details, one question: why are you setting
> > this option?
> 
> I am setting this option per the vfs_acl_xattr.8 man page
> recommendations. Using a Windows system I setup a Home directory under
> the root directory, /zzz/Home in this case, and that directory gets
> the needed NT ACLs  when it is created.  Not having access to /zzz on
> my Windows AD was a surprise when I started testing 4.5, as this has
> worked for me since 4.1.x. Other then creating /zzz, all access to the
> /zzz/Home tree is done using shared SMB mounts from Linux and Windows.

ok, thanks for that.

> > As this severly impacts existing setups, we have three options to
> > address this:
> >
> > 1. Revert it,
> > 2. Document it, or
> > 3. Do it differently
> >
> > 1. Revert it
> >
> > Brings back the original problem: not behaving as a Windows server and
> > in certain situations unexpectedly exposing system POSIX permissions
> > as described in the above bug.
> 
> I would not revert it, but per other recommendations, having a legacy
> option would be nice.

Yeah, as much as I'd like to avoid adding a new option, I guess we
have to do something about it, my latest take on this is

       acl_xattr:default acl style = [posix|windows]

           This parameter determines the type of ACL that is
           synthesized in case a file or directory lacks an
           security.NTACL xattr.

           When set to posix, an ACL will be synthesized based on the
           POSIX mode permissions for user, group and others, with an
           additional ACE for NT Authority\SYSTEM will full rights..

           When set to windows, an ACL is synthesized the same way
           Windows does it, only inclusing permissions for the owner
           and NT Authority\SYSTEM

           The default for this option is posix.

tldr: this reverts behaviour to what it was before #12028 and make the
behaviour introduced by #12028 optional.

Plan? Michael? Uri? Jeremy?

Cheerio!
-slow

More information about the samba mailing list