This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 863127 - ACL masks incorrectly applied when setting ACLs
ACL masks incorrectly applied when setting ACLs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba3x (Show other bugs)
5.9
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Guenther Deschner
qe-baseos-daemons
:
Depends On:
Blocks: 863173 1088924 1089995
  Show dependency treegraph
 
Reported: 2012-10-04 09:33 EDT by Andreas Schneider
Modified: 2014-04-22 06:51 EDT (History)
4 users (show)

See Also:
Fixed In Version: samba3x-3.6.6-0.127.el5
Doc Type: Bug Fix
Doc Text:
internal
Story Points: ---
Clone Of:
: 863173 1088924 1089995 (view as bug list)
Environment:
Last Closed: 2013-01-07 22:36:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
lgo from when the ACL is first applied via samba (162.76 KB, application/octet-stream)
2012-10-19 10:15 EDT, Ales Zelinka
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Samba Project 9236 None None None 2012-10-04 09:33:18 EDT

  None (edit)
Description Andreas Schneider 2012-10-04 09:33:18 EDT
Description of problem:

We incorrectly apply ACL masks to default ACL entries on directories (we should
not) and miss applying them to SMB_ACL_USER and SMB_ACL_GROUP entries.

Normally this isn't noticed as the default ACL masks are 0777.

Additional info:

https://bugzilla.samba.org/show_bug.cgi?id=9190
Comment 1 RHEL Product and Program Management 2012-10-04 09:48:21 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 RHEL Product and Program Management 2012-10-04 11:28:29 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 5 Ales Zelinka 2012-10-11 08:43:33 EDT
I can't reproduce this bug: I either get 
"group:users:rwx #effective:r-x" when not seting "directory mask = 0777" or
"group:users:rwx" when setting directory mask. 
But the behaviour is consistent for both samba3x-3.5.10-0.110 and samba3x-3.6.6-0.128.

Andreas, what is the correct reproducer?
Comment 6 Andreas Schneider 2012-10-11 11:19:19 EDT
Yes, that's correct.

This bug is about 'create mask'/'force create mode' being respected if set.

When setting a non-default ACL, don't forget to apply these masks to SMB_ACL_USER and SMB_ACL_GROUP entries.

This means that if Samba does:

'setacl -m u:asn:rwx /file'

and there is no default mask. That it applies the 'create mask' on the file.
Comment 7 Andreas Schneider 2012-10-15 08:05:35 EDT
1). In the share definition, set the parameters:

security mask = 0600
directory security mask = 0700

Set a Windows ACL on an existing file and
on an existing directory on a Samba share
containing an additional user and group
with full control set as the permissions.

The POSIX ace entry on that file or directory
for the user should now be 6 (rw-). Without the patch the
ace entry will be 7 (rwx).

For the group it should be 0 (---). Without the
patch the entry will be 7 (rwx).

2). Even with the mask parameters set above,
default POSIX ace entries should not be
affected by the mask parameters, so a
default group set to "full control" should
still have 7 (rwx) perms.
Comment 8 Ales Zelinka 2012-10-19 10:13:23 EDT
This is what I get after trying to set "Full Control" for ZELGROUP+user on  /tmp/zelshare/file:

on samba3x-3.5.10-0.110.el5_8:
getfacl: Removing leading '/' from absolute path names
# file: tmp/zelshare/file
# owner: root
# group: root
user::rw-
user:ZELGROUP+user:rwx
group::---
group:ZELGROUP+domain\040users:rwx
mask::rwx
other::---


on samba3x-3.6.6-0.128.el5:
getfacl: Removing leading '/' from absolute path names
# file: tmp/zelshare/file
# owner: root
# group: root
user::rw-
user:ZELGROUP+user:---
group::---
group:ZELGROUP+domain\040users:---
mask::rwx
other::---


the share is set as follows:
[zelshare]
	path = /tmp/zelshare
	admin users = ZELGROUP+administrator
	read only = No
	security mask = 0600
	directory security mask = 0700
Comment 9 Ales Zelinka 2012-10-19 10:15:21 EDT
Created attachment 630055 [details]
lgo  from when the ACL is first applied via samba

debug 10 log, this seems to gbe the place where all permissions get lost:

[2012/10/19 10:04:04.355841, 10] smbd/posix_acls.c:848(print_canon_ace_list)
  print_canon_ace_list: file ace - before valid
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r--
  canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r--
  canon_ace index 2. Type = allow SID = S-1-22-1-0 uid 0 (root) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw-
  canon_ace index 3. Type = allow SID = S-1-5-21-3142488501-2994438553-525746589-1003 uid 10001 (ZELGROUP+user) SMB_ACL_USER ace_flags = 0x0 perms rwx
[2012/10/19 10:04:04.357026, 10] smbd/posix_acls.c:848(print_canon_ace_list)
  print_canon_ace_list: dir ace - before valid
[2012/10/19 10:04:04.357070, 10] smbd/posix_acls.c:848(print_canon_ace_list)
  print_canon_ace_list: file ace - return
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
  canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
  canon_ace index 2. Type = allow SID = S-1-22-1-0 uid 0 (root) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw-
  canon_ace index 3. Type = allow SID = S-1-5-21-3142488501-2994438553-525746589-1003 uid 10001 (ZELGROUP+user) SMB_ACL_USER ace_flags = 0x0 perms ---
Comment 10 Andreas Schneider 2012-10-19 14:41:44 EDT
Yes, the output in comment #8 looks right. I also asked Jeremy and he says it looks correct too.
Comment 14 errata-xmlrpc 2013-01-07 22:36:22 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0064.html

Note You need to log in before you can comment on or make changes to this bug.