Bug 849602
Summary: | Change in the samba3x code from version 3.5.4-0.83.el5_7.2 to 3.5.10-0.108.el5_8 causes permissions issue. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | tvizirov | ||||
Component: | samba3x | Assignee: | Andreas Schneider <asn> | ||||
Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5.8 | CC: | azelinka, dpal, gdeschner, mhomolov, sbose | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-10-01 10:28:07 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Steps to reproduce on a on linux system: $ mkdir /samba $ getfacl /samba getfacl: Removing leading '/' from absolute path names # file: samba # owner: root # group: root user::rwx group::r-x other::r-x $ mkdir /samba/test_share $ getfacl /samba/test_share getfacl: Removing leading '/' from absolute path names # file: samba/test_share # owner: root # group: root user::rwx group::r-x other::r-x $ setfacl -m u:IDM+248980:rwx /samba/test_share $ setfacl -d -m u:IDM+248980:rwx /samba/test_share $ setfacl -m g:users:rwx /samba/test_share $ setfacl -d -m g:users:rwx /samba/test_share $ getfacl /samba/test_share getfacl: Removing leading '/' from absolute path names # file: samba/test_share # owner: root # group: root user::rwx user:IDM+248980:rwx group::r-x group:users:rwx mask::rwx other::r-x default:user::rwx default:user:IDM+248980:rwx default:group::r-x default:group:users:rwx default:mask::rwx default:other::r-x $ mkdir /samba/test_share/dir_create_from_unix $ getfacl /samba/test_share/dir_create_from_unix getfacl: Removing leading '/' from absolute path names # file: samba/test_share/dir_create_from_unix # owner: root # group: root user::rwx user:IDM+248980:rwx group::r-x group:users:rwx mask::rwx other::r-x default:user::rwx default:user:IDM+248980:rwx default:group::r-x default:group:users:rwx default:mask::rwx default:other::r-x --------------------------------------- Share definition in smb.conf: [test_share] comment = RHEL Test path = /samba/test_share writable = yes valid users = @IDM+domänen-benutzer (AD domain-users) read only = No create mask = 0770 browseable = Yes public = no guest ok = no inherit acls = Yes map acl inherit = Yes store dos attributes = Yes Now connect with a Windows machine to the share and login as a 'valid user'. Then create a new folder: $ ls -l /samba/test_share/ total 16 drwxrwxr-x+ 2 root root 4096 May 3 14:06 dir_create_from_unix drwxr-xr-x+ 2 IDM+248980 IDM+g-it-hw-betriebssysteme 4096 May 3 14:08 New folder $ getfacl /samba/test_share/'New folder' getfacl: Removing leading '/' from absolute path names # file: samba/test_share/New folder# owner: IDM+248980 # group: IDM+g-it-hw-betriebssysteme user::rwx user:IDM+248980:rwx #effective:r-x group::r-x group:users:rwx #effective:r-x mask::r-x other::r-x default:user::rwx default:user:IDM+248980:rwx default:group::r-x default:group:users:rwx default:mask::rwx default:other::r-x $ ls -l /samba/test_share/'New folder'/ total 8 -rwxrwx---+ 1 IDM+248980 IDM+g-it-hw-betriebssysteme 14 May 3 14:32 fox.txt $ getfacl /samba/test_share/'New folder' getfacl: Removing leading '/' from absolute path names # file: samba/test_share/New folder # owner: IDM+248980 # group: IDM+g-it-hw-betriebssysteme user::rwx user:IDM+248980:rwx #effective:r-x group::r-x group:users:rwx #effective:r-x mask::r-x other::r-x default:user::rwx default:user:IDM+248980:rwx default:group::r-x default:group:users:rwx default:mask::rwx default:other::r-x Now login as a different user which is part of the 'users' group on the system: [270181@bsm3 ~]$ groups users wheel [270181@bsm3 ~]$ cd /samba/test_share/'New folder' [270181@bsm3 New folder]$ ls -l total 8 -rwxrwx---+ 1 IDM+248980 IDM+g-it-hw-betriebssysteme 14 May 3 14:32 fox.txt $ rm fox.txt rm: cannot remove `fox.txt': Permission denied The problem is that a different default mask is set to the share if you create it from a smb client. This was correct in 3.5.4 and has been changed after this release. The change of behaviour is still present in 3.6.x but has been changed back to what Linux does in 4.0. This is a config error, not a bug. It's a side effect of the fix for https://bugzilla.samba.org/show_bug.cgi?id=7734 The problem in #7734 was that we were not applying the create masks to files created with "inherit acls". Check out the smb.conf definitions for: create mask directory mask These specify masks that are applied to *ALL* files or directories created by smbd through a Windows (non-unix extensions) connection. People take it on trust that any file or directory created by Samba obeys these masks - they allow those masks to be set on a share definition, and the admin *knows* that no files will violate those masks. So the earlier 3.5.x we considered a bug. You could argue whether "inherit acls" should take precedence over "create mask" or "directory mask" but we decided to make the mask parameters take precedence. So to fix this you need to set: create mask = 0777 directory mask = 0777 in the share definition of your smb.conf and then the inherited ACL will behave as you expect. |
Created attachment 605649 [details] Step by step duplication steps. Description of problem: We have a samba share and its mounted on a windows machine. The rights for the share are "rwx". On the windows machine we create directory inside this share, the file/directory created is with "rwx" rights, but then there is an effective rights "r-x" which override the original rights. Somehow the mask rights got changed and force the different effective rights. We can always fix this issue by changing the mask rights. However this behavior was not there in the previous samba version(samba3x.x86_64 3.5.4-0.83.el5_7.2). Version-Release number of selected component (if applicable): Works on: samba3x.x86_64 3.5.4-0.83.el5_7.2 samba3x-client.x86_64 3.5.4-0.83.el5_7.2 samba3x-common.x86_64 3.5.4-0.83.el5_7.2 samba3x-winbind.x86_64 3.5.4-0.83.el5_7.2 Doesn't work on: samba3x x86_64 3.5.10-0.108.el5_8 samba3x-client x86_64 3.5.10-0.108.el5_8 samba3x-common x86_64 3.5.10-0.108.el5_8 samba3x-winbind x86_64 3.5.10-0.108.el5_8 How reproducible: Same as description. Actual results: The file/directory created on the windows share have "rwx" rights plus additional mask rights, which overrides the original "rwx". Expected results: The file/directory created on the windows share to be with "rwx" rights. Additional info: Same configuration works on: samba3x.x86_64 3.5.4-0.83.el5_7.2 Same configurations doesn't work on:samba3x x86_64 3.5.10-0.108.el5_8 Step by step reproduction steps are included in the attachment: RHEL_case_00631167_20120503_.doc