Bug 1005559 - Samba treats delete permissions differently than Windows ACLs
Samba treats delete permissions differently than Windows ACLs
Status: CLOSED EOL
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: samba (Show other bugs)
2.1
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Jose A. Rivera
Lalatendu Mohanty
ntacl
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-08 07:38 EDT by Lalatendu Mohanty
Modified: 2015-12-03 12:13 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-03 12:13:12 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lalatendu Mohanty 2013-09-08 07:38:07 EDT
Description of problem:

Samba treats delete permissions differently than Windows ACLs.

In Windows:

You can give an user group "read", "list folder contents" and "read & execute" + "delete subfolders and files", "delete" on a directory and  any user in the user group  can delete files and sub folders inside the directory.

But the same is not applicable for samba shares of XFS or glusterfs. With the above permissions on a samba share, the effective permission becomes "read", "list folder contents" and "read & execute". 

The current ACL implementation for samba+glusterfs, does not give delete permission to a user/group without write + modify permission or full control which may be correct from posix point of view but not from Windows ACL point of view 

Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:

You can give an user group (e.g. ug1) "read, list folder contents and read & execute" + "delete subfolders and files, delete" on a directory and  

1. Mount a samba share on a win7 client
2. As User1, create a directory and a file inside it.
3. As User1  give "read, list folder contents and read & execute" + "delete subfolders and files, delete" to User2/Usergroup2.

4. As User2 try to delete the file.

Actual results:

It don't give permission to delete the file

Expected results:

It should allow deletion of file

Additional info:

[root@bvt-rhs1 cifs]# rpm -qa | grep 'samba\|glusterfs'
samba-doc-3.6.9-160.3.el6rhs.x86_64
glusterfs-fuse-3.4.0.32rhs-1.el6rhs.x86_64
glusterfs-api-3.4.0.32rhs-1.el6rhs.x86_64
samba-winbind-3.6.9-160.3.el6rhs.x86_64
samba-glusterfs-3.6.9-160.3.el6rhs.x86_64
glusterfs-3.4.0.32rhs-1.el6rhs.x86_64
samba-swat-3.6.9-160.3.el6rhs.x86_64
samba-winbind-krb5-locator-3.6.9-160.3.el6rhs.x86_64
samba-domainjoin-gui-3.6.9-160.3.el6rhs.x86_64
glusterfs-geo-replication-3.4.0.32rhs-1.el6rhs.x86_64
glusterfs-rdma-3.4.0.32rhs-1.el6rhs.x86_64
samba-common-3.6.9-160.3.el6rhs.x86_64
samba-3.6.9-160.3.el6rhs.x86_64
samba-client-3.6.9-160.3.el6rhs.x86_64
samba-winbind-devel-3.6.9-160.3.el6rhs.x86_64
glusterfs-libs-3.4.0.32rhs-1.el6rhs.x86_64
glusterfs-server-3.4.0.32rhs-1.el6rhs.x86_64
samba4-libs-4.0.0-55.el6.rc4.x86_64
samba-winbind-clients-3.6.9-160.3.el6rhs.x86_64
Comment 2 Christopher R. Hertel 2013-10-02 15:08:52 EDT
This may be due to the translation between NTFS and POSIX ACLs.  This should be tested again when the vfs_acl_xattr module is loaded to see if the behavior changes.  Conversion from NTFS ACLs to POSIX and back again will cause a loss of ACL information.
Comment 3 Ira Cooper 2014-09-03 08:39:18 EDT
We're working on upgrading samba, assigning to Jose as part of that project, may be reassigned.
Comment 4 Vivek Agarwal 2015-12-03 12:13:12 EST
Thank you for submitting this issue for consideration in Red Hat Gluster Storage. The release for which you requested us to review, is now End of Life. Please See https://access.redhat.com/support/policy/updates/rhs/

If you can reproduce this bug against a currently maintained version of Red Hat Gluster Storage, please feel free to file a new report against the current release.

Note You need to log in before you can comment on or make changes to this bug.