diff options
author | Ralph Boehme <slow@samba.org> | 2016-07-15 17:48:19 +0200 |
---|---|---|
committer | Ralph Boehme <slow@samba.org> | 2016-07-19 10:22:05 +0200 |
commit | 961c4b591bb102751079d9cc92d7aa1c37f1958c (patch) | |
tree | 2651753f9a98aa1c1cef9fece1282007304c7762 /source3/modules | |
parent | afc2417b107af572081974ff9d013ddec890d31f (diff) | |
download | samba-961c4b591bb102751079d9cc92d7aa1c37f1958c.tar.gz |
vfs_acl_xattr: objects without NT ACL xattr
Even with "ignore system acls" set to "yes", for objects without NT ACL
xattr we use the underlying filesystem permissions to construct an NT
ACL. This can result in *very* unexpected permissions, eg:
- a directory with the following ACL:
$ ./bin/smbcacls -Uslow%pass //localhost/normal ""
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\root
ACL:SLOW\slow:ALLOWED/0x0/FULL
So only one non-inheritable(!) ACE.
- creating a subdirectory:
$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1"
- checking whether there's an ACL xattr:
$ getfattr -m "" /Volumes/normal/dir1
getfattr: Removing leading '/' from absolute path names
system.posix_acl_access
system.posix_acl_default
user.DOSATTRIB
So there isn't an ACL xattr, because there where no inheritable ACEs on
the parent folder.
- reading the new subdirectories ACL:
$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:Unix Group\slow:ALLOWED/0x0/READ
ACL:Everyone:ALLOWED/0x0/READ
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming
from the underlying filesystem. This is the problem.
- Windows assigns the following ACL in this situation:
$ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir"
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:VORDEFINIERT\Administratoren
GROUP:WIN2008R2\Domänen-Benutzer
ACL:WIN2008R2\Administrator:ALLOWED/0x0/FULL
$ ./bin/smbclient -UAdministrator%Passw0rd //10.10.10.14/data -c "mkdir dir\dir1"
$ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir\dir1"
REVISION:1
CONTROL:SR|DI|DP
OWNER:VORDEFINIERT\Administratoren
GROUP:WIN2008R2\Domänen-Benutzer
ACL:VORDEFINIERT\Administratoren:ALLOWED/0x0/FULL
ACL:NT-AUTORITÄT\SYSTEM:ALLOWED/0x0/FULL
By changing make_default_filesystem_acl() to only adds user and system
ACE to the ACL of objects that lack an ACL xattr, we match Windows
behaviour:
$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir2"
$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir2"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jul 19 10:22:05 CEST 2016 on sn-devel-144
Diffstat (limited to 'source3/modules')
-rw-r--r-- | source3/modules/vfs_acl_common.c | 44 |
1 files changed, 5 insertions, 39 deletions
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index f3d6c0dcfe2..2fda938ed89 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -24,6 +24,7 @@ #include "../libcli/security/security.h" #include "../librpc/gen_ndr/ndr_security.h" #include "../lib/util/bitmap.h" +#include "passdb/lookup_sid.h" static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob, @@ -378,12 +379,10 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx, gid_to_sid(&group_sid, psbuf->st_ex_gid); /* - We provide up to 4 ACEs - - Owner - - Group - - Everyone - - NT System - */ + * We provide 2 ACEs: + * - Owner + * - NT System + */ if (mode & S_IRUSR) { if (mode & S_IWUSR) { @@ -403,39 +402,6 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx, 0); idx++; - access_mask = 0; - if (mode & S_IRGRP) { - access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; - } - if (mode & S_IWGRP) { - /* note that delete is not granted - this matches posix behaviour */ - access_mask |= SEC_RIGHTS_FILE_WRITE; - } - if (access_mask) { - init_sec_ace(&aces[idx], - &group_sid, - SEC_ACE_TYPE_ACCESS_ALLOWED, - access_mask, - 0); - idx++; - } - - access_mask = 0; - if (mode & S_IROTH) { - access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; - } - if (mode & S_IWOTH) { - access_mask |= SEC_RIGHTS_FILE_WRITE; - } - if (access_mask) { - init_sec_ace(&aces[idx], - &global_sid_World, - SEC_ACE_TYPE_ACCESS_ALLOWED, - access_mask, - 0); - idx++; - } - init_sec_ace(&aces[idx], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED, |