Problems with ACLs in 2.2.8

Buck Huppmann buckh at pobox.com
Mon Mar 31 16:52:30 GMT 2003 

i'm also seeing some aberrant ACL-setting behavior in samba 2.2.8. more-
over, the new Creator Owner and Creator Group semantics are bewildering,
although i can understand if, in that sense, they're just mimicking NT
behavior all the more closely. at any rate, below's a patch that purports
to do the following:

1. the hunk for util_sid.c make the Creator Owner and Creator Group
   icons show up appropriately in my NT-permissions-chooser thingy

2. the first three hunks for posix_acls.c allows one to drop entries from
   an ACL without having samba re-insert the ``missing'' ACEs behind the
   scenes with the share-default perms. this may or may not address your
   concern

3. the fourth hunk excepts Creator Owner and Creator Group from being
   dropped from the incoming ACL as ``non-mappable SIDs''

4. the fifth hunk corrects for the fact that--according to the ``-s''
   option description from the setfacl(1) man page of Solaris 2.6, anyway--
   Solaris needs a default ``CLASS_OBJ'' entry if it has any other default
   ACL entries

5. the sixth hunk makes use of the mask_perms mode that set_canon_ace_list()
   munges all the way through but then does nothing with. this isn't required
   for correct functionality, though, i don't think
   
6. the seventh hunk (in NT4-compatible mode) abridges the code to elide
   the non-default ACL entry for the group owner if the group owner has no
   permissions, since i thought this might allay confusion, as indicated by
   the CPP macro name used there. again, this isn't required for correct
   functionality

none of these are meant to be applied to anybody's samba source tree; i'm
just trying to point out some areas that may need attention

i think, however, for my purposes, i'm just going to drop in the old 2.2.7
posix_acls.c, since i find named ACEs with non-bogus perms in both parenthe-
sized slots in the NT-permissions-thingy display much less confusing, if a
bit misleading

--buck

On Tue, Mar 25, 2003 at 01:39:22AM +0000, Jan Houstek wrote:
> Hi all!
> 
> I posted this in samba at lists.samba.org but there were no reactions.
> Particulary I'm interested if anyone observe the same behavior.
> 
> -- Honza Houstek
> 
> --------------------------------------------------------------
> 
> server:
> 	linux 2.4.19 with xfs 1.2 and its ACL
> 	libacl 2.0.19
> 	samba 2.2.8 compiled from source with --with-acl-support
> 	acting as PDC
> 	interesting parts of smb.conf
> 		create mask = 0600
> 		directory mask = 0700
> 		[testshare]
> 			path = /data/testshare
> 			readonly = No
> client:
> 	1) Windows XP, servicepack 1.2a
> 	2) smbmount from another linux box
> 
> server:~# getfacl /data/testshare/testdir
> # file: testdir
> # owner: testuser
> # group: users
> user::rwx
> group::---
> group:somegroup:r-x
> group:anothergroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:group:somegroup:r-x
> default:group:anothergroup:rwx
> default:mask::rwx
> default:other::---
> 
> server:~# umask 007
> server:~# mkdir /data/testshare/testdir/test1
> server:~# getfacl /data/testshare/testdir/test1
> # file: test1
> # owner: root
> # group: root
> user::rwx
> group::---
> group:somegroup:r-x
> group:anothergroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:group:somegroup:r-x
> default:group:anothergroup:rwx
> default:mask::rwx
> default:other::---
> 
> On windows:
> 	logon to domain as testuser
> 	create test2 in testdir (right mouse button -> New -> Folder)
> 
> server:~# getfacl /data/testshare/testdir/test2
> # file: test2
> # owner: testuser
> # group: users
> user::rwx
> group::rwx			# !!! problem !!!
> group:somegroup:r-x
> group:anothergroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:group:somegroup:r-x
> default:group:anothergroup:rwx
> default:mask::rwx
> default:other::---

--- samba-2.2.8/source/lib/util_sid.c.orig	Fri Mar 14 16:34:47 2003
+++ samba-2.2.8/source/lib/util_sid.c	Mon Mar 31 07:50:10 2003
@@ -64,7 +64,8 @@
 	{0, (enum SID_NAME_USE)0, NULL}};
 
 static known_sid_users creator_owner_users[] = {
-	{ 0, SID_NAME_ALIAS, "Creator Owner" },
+	{ 0, SID_NAME_WKN_GRP, "Creator Owner" },
+	{ 1, SID_NAME_WKN_GRP, "Creator Group" },
 	{0, (enum SID_NAME_USE)0, NULL}};
 
 static known_sid_users nt_authority_users[] = {
--- samba-2.2.8/source/smbd/posix_acls.c.orig	Fri Mar 14 16:34:49 2003
+++ samba-2.2.8/source/smbd/posix_acls.c	Mon Mar 31 09:10:10 2003
@@ -653,6 +653,7 @@
 	 * we would get mask instead of group. Let's do it via ACL.
 	 */
 
+#if RETAIN_ACE_IF_MISSING_FROM_INCOMING_ACL
 	if (setting_acl && (!got_user || !got_grp || !got_other)) {
 
 		SMB_ACL_ENTRY_T entry;
@@ -701,6 +702,7 @@
 				fsp->fsp_name));
 		}
 	}
+#endif /* RETAIN_ACE_IF_MISSING_FROM_INCOMING_ACL */
 
 	if (!got_user) {
 		if ((pace = (canon_ace *)malloc(sizeof(canon_ace))) == NULL) {
@@ -757,7 +759,11 @@
 				if (got_other)
 					pace->perms = pace_other->perms;
 				else
+#if GROUP_SHOULDNT_DEFAULT_TO_0_LIKE_USER_AND_OTHER
 					pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
+#else /* GROUP_SHOULDNT_DEFAULT_TO_0_LIKE_USER_AND_OTHER */
+					pace->perms = 0;
+#endif /* GROUP_SHOULDNT_DEFAULT_TO_0_LIKE_USER_AND_OTHER */
 			}
 			apply_default_perms(fsp, pace, S_IRGRP);
 		} else {
@@ -945,7 +951,9 @@
 		 * Ignore non-mappable SIDs (NT Authority, BUILTIN etc).
 		 */
 
-		if (non_mappable_sid(&psa->trustee)) {
+		if (non_mappable_sid(&psa->trustee) &&
+			!sid_equal(&psa->trustee, &global_sid_Creator_Owner) &&
+			!sid_equal(&psa->trustee, &global_sid_Creator_Group)) {
 			fstring str;
 			DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
 				sid_to_string(str, &psa->trustee) ));
@@ -1820,6 +1828,8 @@
 #if defined(POSIX_ACL_NEEDS_MASK)
 	/* HP-UX always wants to have a mask (called "class" there). */
 	needs_mask = True;
+#else if defined(SOLARIS_ACLS)
+	needs_mask = default_ace ? True : False;
 #endif
 
 	if (the_acl == NULL) {
@@ -1956,7 +1966,7 @@
 			goto done;
 		}
 
-		if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
+		if (map_acl_perms_to_permset(conn, mask_perms, &mask_permset) == -1) {
 			DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
 			goto done;
 		}
@@ -2350,11 +2360,13 @@
 			}
 #endif
 
+#if HIDE_0_PERM_CREATOR_GROUP_FILE_ACE_THOUGH_USERS_MAY_KEEP_RESETTING_DIR_ACE_IN_VAIN_EVEN_NOT_KNOWING_WHO_CREATOR_GROUP_IS
 			ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
 			if (ace && !ace->perms) {
 				DLIST_REMOVE(file_ace, ace);
 				SAFE_FREE(ace);
 			}
+#endif /* HIDE_0_PERM_CREATOR_GROUP_FILE_ACE_THOUGH_USERS_MAY_KEEP_RESETTING_DIR_ACE_IN_VAIN_EVEN_NOT_KNOWING_WHO_CREATOR_GROUP_IS */
 		} else {
 
 			ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);

More information about the samba-technical mailing list