vfs_acl_xattr: objects without NT ACL xattr

Even with "ignore system acls" set to "yes", for objects without NT ACL xattr we use the underlying filesystem permissions to construct an NT ACL. This can result in *very* unexpected permissions, eg: - a directory with the following ACL: $ ./bin/smbcacls -Uslow%pass //localhost/normal "" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\root ACL:SLOW\slow:ALLOWED/0x0/FULL So only one non-inheritable(!) ACE. - creating a subdirectory: $ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1" - checking whether there's an ACL xattr: $ getfattr -m "" /Volumes/normal/dir1 getfattr: Removing leading '/' from absolute path names system.posix_acl_access system.posix_acl_default user.DOSATTRIB So there isn't an ACL xattr, because there where no inheritable ACEs on the parent folder. - reading the new subdirectories ACL: $ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\slow ACL:SLOW\slow:ALLOWED/0x0/FULL ACL:Unix Group\slow:ALLOWED/0x0/READ ACL:Everyone:ALLOWED/0x0/READ ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming from the underlying filesystem. This is the problem. - Windows assigns the following ACL in this situation: $ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir" REVISION:1 CONTROL:SR|PD|DI|DP OWNER:VORDEFINIERT\Administratoren GROUP:WIN2008R2\Domänen-Benutzer ACL:WIN2008R2\Administrator:ALLOWED/0x0/FULL $ ./bin/smbclient -UAdministrator%Passw0rd //10.10.10.14/data -c "mkdir dir\dir1" $ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir\dir1" REVISION:1 CONTROL:SR|DI|DP OWNER:VORDEFINIERT\Administratoren GROUP:WIN2008R2\Domänen-Benutzer ACL:VORDEFINIERT\Administratoren:ALLOWED/0x0/FULL ACL:NT-AUTORITÄT\SYSTEM:ALLOWED/0x0/FULL By changing make_default_filesystem_acl() to only adds user and system ACE to the ACL of objects that lack an ACL xattr, we match Windows behaviour: $ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir2" $ ./bin/smbcacls -Uslow%pass //localhost/normal "dir2" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\slow ACL:SLOW\slow:ALLOWED/0x0/FULL ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Tue Jul 19 10:22:05 CEST 2016 on sn-devel-144
author: Ralph Boehme <slow@samba.org> 2016-07-15 17:48:19 +0200
committer: Ralph Boehme <slow@samba.org> 2016-07-19 10:22:05 +0200
commit: 961c4b591bb102751079d9cc92d7aa1c37f1958c (patch)
tree: 2651753f9a98aa1c1cef9fece1282007304c7762 /source3/modules
parent: afc2417b107af572081974ff9d013ddec890d31f (diff)
download: samba-961c4b591bb102751079d9cc92d7aa1c37f1958c.tar.gz
1 files changed, 5 insertions, 39 deletions
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index f3d6c0dcfe2..2fda938ed89 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -24,6 +24,7 @@
 #include "../libcli/security/security.h"
 #include "../librpc/gen_ndr/ndr_security.h"
 #include "../lib/util/bitmap.h"
+#include "passdb/lookup_sid.h"
 
 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
 			DATA_BLOB *pblob,
@@ -378,12 +379,10 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
 	gid_to_sid(&group_sid, psbuf->st_ex_gid);
 
 	/*
-	 We provide up to 4 ACEs
-		- Owner
-		- Group
-		- Everyone
-		- NT System
-	*/
+	 * We provide 2 ACEs:
+	 * - Owner
+	 * - NT System
+	 */
 
 	if (mode & S_IRUSR) {
 		if (mode & S_IWUSR) {
@@ -403,39 +402,6 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
 			0);
 	idx++;
 
-	access_mask = 0;
-	if (mode & S_IRGRP) {
-		access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
-	}
-	if (mode & S_IWGRP) {
-		/* note that delete is not granted - this matches posix behaviour */
-		access_mask |= SEC_RIGHTS_FILE_WRITE;
-	}
-	if (access_mask) {
-		init_sec_ace(&aces[idx],
-			&group_sid,
-			SEC_ACE_TYPE_ACCESS_ALLOWED,
-			access_mask,
-			0);
-		idx++;
-	}
-
-	access_mask = 0;
-	if (mode & S_IROTH) {
-		access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
-	}
-	if (mode & S_IWOTH) {
-		access_mask |= SEC_RIGHTS_FILE_WRITE;
-	}
-	if (access_mask) {
-		init_sec_ace(&aces[idx],
-			&global_sid_World,
-			SEC_ACE_TYPE_ACCESS_ALLOWED,
-			access_mask,
-			0);
-		idx++;
-	}
-
 	init_sec_ace(&aces[idx],
 			&global_sid_System,
 			SEC_ACE_TYPE_ACCESS_ALLOWED,
author	Ralph Boehme <slow@samba.org>	2016-07-15 17:48:19 +0200
committer	Ralph Boehme <slow@samba.org>	2016-07-19 10:22:05 +0200
commit	961c4b591bb102751079d9cc92d7aa1c37f1958c (patch)
tree	2651753f9a98aa1c1cef9fece1282007304c7762 /source3/modules
parent	afc2417b107af572081974ff9d013ddec890d31f (diff)
download	samba-961c4b591bb102751079d9cc92d7aa1c37f1958c.tar.gz