Bug 849602 - Change in the samba3x code from version 3.5.4-0.83.el5_7.2 to 3.5.10-0.108.el5_8 causes permissions issue.
Change in the samba3x code from version 3.5.4-0.83.el5_7.2 to 3.5.10-0.108.e...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba3x (Show other bugs)
5.8
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Andreas Schneider
qe-baseos-daemons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-20 06:08 EDT by tvizirov
Modified: 2013-01-10 21:11 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-01 06:28:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Step by step duplication steps. (488.14 KB, application/vnd.oasis.opendocument.text)
2012-08-20 06:08 EDT, tvizirov
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Samba Project 9190 None None None 2012-09-21 05:12:11 EDT

  None (edit)
Description tvizirov 2012-08-20 06:08:17 EDT
Created attachment 605649 [details]
Step by step duplication steps.

Description of problem:

We have a samba share and its mounted on a windows machine. The rights for the share are "rwx". On the windows machine we create directory inside this share, the file/directory created is with "rwx" rights, but then there is an effective rights "r-x" which override the original rights. Somehow the mask rights got changed and force the different effective rights. We can always fix this issue by changing the mask rights. However this behavior was not there in the previous samba version(samba3x.x86_64 3.5.4-0.83.el5_7.2). 


Version-Release number of selected component (if applicable):

Works on:
samba3x.x86_64                         3.5.4-0.83.el5_7.2        
samba3x-client.x86_64                  3.5.4-0.83.el5_7.2        
samba3x-common.x86_64                  3.5.4-0.83.el5_7.2       
samba3x-winbind.x86_64                 3.5.4-0.83.el5_7.2        

Doesn't work on:
samba3x          x86_64                3.5.10-0.108.el5_8                     
samba3x-client   x86_64                3.5.10-0.108.el5_8           
samba3x-common   x86_64                3.5.10-0.108.el5_8                  
samba3x-winbind  x86_64                3.5.10-0.108.el5_8           

How reproducible:

Same as description.

 
Actual results:

The file/directory created on the windows share have "rwx" rights plus additional mask rights, which overrides the original "rwx". 

Expected results:

The file/directory created on the windows share to be with "rwx" rights.

Additional info: 

Same configuration works on: samba3x.x86_64         3.5.4-0.83.el5_7.2
Same configurations doesn't work on:samba3x x86_64  3.5.10-0.108.el5_8

Step by step reproduction steps are included in the attachment: 
RHEL_case_00631167_20120503_.doc
Comment 1 RHEL Product and Program Management 2012-08-21 09:38:34 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 4 Andreas Schneider 2012-09-18 12:32:31 EDT

Steps to reproduce on a on linux system:


$ mkdir /samba
$ getfacl /samba
getfacl: Removing leading '/' from absolute path names
# file: samba
# owner: root
# group: root
user::rwx
group::r-x
other::r-x


$ mkdir /samba/test_share
$ getfacl /samba/test_share
getfacl: Removing leading '/' from absolute path names
# file: samba/test_share
# owner: root
# group: root
user::rwx
group::r-x
other::r-x


$ setfacl -m u:IDM+248980:rwx /samba/test_share
$ setfacl -d -m u:IDM+248980:rwx /samba/test_share
$ setfacl -m g:users:rwx /samba/test_share
$ setfacl -d -m g:users:rwx /samba/test_share
$ getfacl /samba/test_share
getfacl: Removing leading '/' from absolute path names
# file: samba/test_share
# owner: root
# group: root
user::rwx
user:IDM+248980:rwx
group::r-x
group:users:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:IDM+248980:rwx
default:group::r-x
default:group:users:rwx
default:mask::rwx
default:other::r-x


$ mkdir /samba/test_share/dir_create_from_unix
$ getfacl /samba/test_share/dir_create_from_unix
getfacl: Removing leading '/' from absolute path names
# file: samba/test_share/dir_create_from_unix
# owner: root
# group: root
user::rwx
user:IDM+248980:rwx
group::r-x
group:users:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:IDM+248980:rwx
default:group::r-x
default:group:users:rwx
default:mask::rwx
default:other::r-x



---------------------------------------
Share definition in smb.conf:

[test_share]
  comment = RHEL Test
  path = /samba/test_share
  writable = yes
  valid users = @IDM+domänen-benutzer (AD domain-users)
  read only = No
  create mask = 0770
  browseable = Yes
  public = no
  guest ok = no
  inherit acls = Yes
  map acl inherit = Yes
  store dos attributes = Yes

Now connect with a Windows machine to the share and login as a 'valid user'. Then create a new folder:



$ ls -l /samba/test_share/
total 16
drwxrwxr-x+ 2 root root 4096 May 3 14:06 dir_create_from_unix
drwxr-xr-x+ 2 IDM+248980 IDM+g-it-hw-betriebssysteme 4096 May 3 14:08 New folder


$ getfacl /samba/test_share/'New folder'
getfacl: Removing leading '/' from absolute path names
# file: samba/test_share/New folder# owner: IDM+248980
# group: IDM+g-it-hw-betriebssysteme
user::rwx
user:IDM+248980:rwx #effective:r-x
group::r-x
group:users:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:IDM+248980:rwx
default:group::r-x
default:group:users:rwx
default:mask::rwx
default:other::r-x


$ ls -l /samba/test_share/'New folder'/
total 8
-rwxrwx---+ 1 IDM+248980 IDM+g-it-hw-betriebssysteme 14 May 3 14:32 fox.txt

$ getfacl /samba/test_share/'New folder'
getfacl: Removing leading '/' from absolute path names
# file: samba/test_share/New folder
# owner: IDM+248980
# group: IDM+g-it-hw-betriebssysteme
user::rwx
user:IDM+248980:rwx #effective:r-x
group::r-x
group:users:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:IDM+248980:rwx
default:group::r-x
default:group:users:rwx
default:mask::rwx
default:other::r-x



Now login as a different user which is part of the 'users' group on the system:


[270181@bsm3 ~]$ groups
users wheel


[270181@bsm3 ~]$ cd /samba/test_share/'New folder'

[270181@bsm3 New folder]$ ls -l
total 8
-rwxrwx---+ 1 IDM+248980 IDM+g-it-hw-betriebssysteme 14 May 3 14:32 fox.txt



$ rm fox.txt
rm: cannot remove `fox.txt': Permission denied


The problem is that a different default mask is set to the share if you create it from a smb client. This was correct in 3.5.4 and has been changed after this release. The change of behaviour is still present in 3.6.x but has been changed back to what Linux does in 4.0.
Comment 6 Andreas Schneider 2012-10-01 06:24:18 EDT
This is a config error, not a bug.

It's a side effect of the fix for https://bugzilla.samba.org/show_bug.cgi?id=7734

The problem in #7734 was that we were not applying the create masks to files
created with "inherit acls".

Check out the smb.conf definitions for:

create mask
directory mask

These specify masks that are applied to *ALL* files or directories created by
smbd through a Windows (non-unix extensions) connection. People take it on
trust that any file or directory created by Samba obeys these masks - they
allow those masks to be set on a share definition, and the admin *knows* that
no files will violate those masks.

So the earlier 3.5.x we considered a bug. You could argue whether "inherit
acls" should take precedence over "create mask" or "directory mask" but we
decided to make the mask parameters take precedence.

So to fix this you need to set:

create mask = 0777
directory mask = 0777

in the share definition of your smb.conf and then the inherited ACL will behave
as you expect.

Note You need to log in before you can comment on or make changes to this bug.