Bug 1005559 - Samba treats delete permissions differently than Windows ACLs
Summary: Samba treats delete permissions differently than Windows ACLs
Keywords:
Status: CLOSED EOL
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: samba
Version: 2.1
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: ---
Assignee: Jose A. Rivera
QA Contact: Lalatendu Mohanty
URL:
Whiteboard: ntacl
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-08 11:38 UTC by Lalatendu Mohanty
Modified: 2015-12-03 17:13 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-03 17:13:12 UTC
Embargoed:

Attachments (Terms of Use)

Description Lalatendu Mohanty 2013-09-08 11:38:07 UTC 
Description of problem:

Samba treats delete permissions differently than Windows ACLs.

In Windows:

You can give an user group "read", "list folder contents" and "read & execute" + "delete subfolders and files", "delete" on a directory and  any user in the user group  can delete files and sub folders inside the directory.

But the same is not applicable for samba shares of XFS or glusterfs. With the above permissions on a samba share, the effective permission becomes "read", "list folder contents" and "read & execute". 

The current ACL implementation for samba+glusterfs, does not give delete permission to a user/group without write + modify permission or full control which may be correct from posix point of view but not from Windows ACL point of view 

Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:

You can give an user group (e.g. ug1) "read, list folder contents and read & execute" + "delete subfolders and files, delete" on a directory and  

1. Mount a samba share on a win7 client
2. As User1, create a directory and a file inside it.
3. As User1  give "read, list folder contents and read & execute" + "delete subfolders and files, delete" to User2/Usergroup2.

4. As User2 try to delete the file.

Actual results:

It don't give permission to delete the file

Expected results:

It should allow deletion of file

Additional info:

[root@bvt-rhs1 cifs]# rpm -qa | grep 'samba\|glusterfs'
samba-doc-3.6.9-160.3.el6rhs.x86_64
glusterfs-fuse-3.4.0.32rhs-1.el6rhs.x86_64
glusterfs-api-3.4.0.32rhs-1.el6rhs.x86_64
samba-winbind-3.6.9-160.3.el6rhs.x86_64
samba-glusterfs-3.6.9-160.3.el6rhs.x86_64
glusterfs-3.4.0.32rhs-1.el6rhs.x86_64
samba-swat-3.6.9-160.3.el6rhs.x86_64
samba-winbind-krb5-locator-3.6.9-160.3.el6rhs.x86_64
samba-domainjoin-gui-3.6.9-160.3.el6rhs.x86_64
glusterfs-geo-replication-3.4.0.32rhs-1.el6rhs.x86_64
glusterfs-rdma-3.4.0.32rhs-1.el6rhs.x86_64
samba-common-3.6.9-160.3.el6rhs.x86_64
samba-3.6.9-160.3.el6rhs.x86_64
samba-client-3.6.9-160.3.el6rhs.x86_64
samba-winbind-devel-3.6.9-160.3.el6rhs.x86_64
glusterfs-libs-3.4.0.32rhs-1.el6rhs.x86_64
glusterfs-server-3.4.0.32rhs-1.el6rhs.x86_64
samba4-libs-4.0.0-55.el6.rc4.x86_64
samba-winbind-clients-3.6.9-160.3.el6rhs.x86_64
Comment 2 Christopher R. Hertel 2013-10-02 19:08:52 UTC 
This may be due to the translation between NTFS and POSIX ACLs.  This should be tested again when the vfs_acl_xattr module is loaded to see if the behavior changes.  Conversion from NTFS ACLs to POSIX and back again will cause a loss of ACL information.
Comment 3 Ira Cooper 2014-09-03 12:39:18 UTC 
We're working on upgrading samba, assigning to Jose as part of that project, may be reassigned.
Comment 4 Vivek Agarwal 2015-12-03 17:13:12 UTC 
Thank you for submitting this issue for consideration in Red Hat Gluster Storage. The release for which you requested us to review, is now End of Life. Please See https://access.redhat.com/support/policy/updates/rhs/

If you can reproduce this bug against a currently maintained version of Red Hat Gluster Storage, please feel free to file a new report against the current release.
Note You need to log in before you can comment on or make changes to this bug.