Red Hat Bugzilla – Bug 1005559
Samba treats delete permissions differently than Windows ACLs
Last modified: 2015-12-03 12:13:12 EST
Description of problem:
Samba treats delete permissions differently than Windows ACLs.
You can give an user group "read", "list folder contents" and "read & execute" + "delete subfolders and files", "delete" on a directory and any user in the user group can delete files and sub folders inside the directory.
But the same is not applicable for samba shares of XFS or glusterfs. With the above permissions on a samba share, the effective permission becomes "read", "list folder contents" and "read & execute".
The current ACL implementation for samba+glusterfs, does not give delete permission to a user/group without write + modify permission or full control which may be correct from posix point of view but not from Windows ACL point of view
Version-Release number of selected component (if applicable):
Steps to Reproduce:
You can give an user group (e.g. ug1) "read, list folder contents and read & execute" + "delete subfolders and files, delete" on a directory and
1. Mount a samba share on a win7 client
2. As User1, create a directory and a file inside it.
3. As User1 give "read, list folder contents and read & execute" + "delete subfolders and files, delete" to User2/Usergroup2.
4. As User2 try to delete the file.
It don't give permission to delete the file
It should allow deletion of file
[root@bvt-rhs1 cifs]# rpm -qa | grep 'samba\|glusterfs'
This may be due to the translation between NTFS and POSIX ACLs. This should be tested again when the vfs_acl_xattr module is loaded to see if the behavior changes. Conversion from NTFS ACLs to POSIX and back again will cause a loss of ACL information.
We're working on upgrading samba, assigning to Jose as part of that project, may be reassigned.
Thank you for submitting this issue for consideration in Red Hat Gluster Storage. The release for which you requested us to review, is now End of Life. Please See https://access.redhat.com/support/policy/updates/rhs/
If you can reproduce this bug against a currently maintained version of Red Hat Gluster Storage, please feel free to file a new report against the current release.