From: Ralph Boehme <slow@samba.org>
Date: Sat, 6 Sep 2025 06:48:44 +0000 (+0200)
Subject: vfs_fruit: ignore Set-ACL requests with zero ACEs
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a112978ed1240c399eb90e4472d5c43d867c49d9;p=thirdparty%2Fsamba.git

vfs_fruit: ignore Set-ACL requests with zero ACEs

Workaround for a new behaviour in latest macOS versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---

diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml
index a2a382e6087..333f8678e61 100644
--- a/docs-xml/manpages/vfs_fruit.8.xml
+++ b/docs-xml/manpages/vfs_fruit.8.xml
@@ -463,6 +463,24 @@
             </listitem>
 	  </varlistentry>
 
+	  <varlistentry>
+	    <term>fruit:ignore_zero_aces = yes | no</term>
+	    <listitem>
+
+	      <para>When <parameter>fruit:ignore_zero_aces</parameter> is
+	      enabled, attempts to modify filesystem permissions fail if the ACL
+	      sent over the wire contains no ACEs. This is completely valid
+	      client behaviour, but it means subsequently no further access is
+	      possible to the file, unless permissions get fixed by an
+	      administrator.</para>
+	      <para>This problematic behaviour has been reported for latest
+	      macOS versions and this new option allows to work around
+	      it.</para>
+	      <para>The default is <emphasis>yes</emphasis>.</para>
+
+            </listitem>
+	  </varlistentry>
+
 	</variablelist>
 </refsect1>
 
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index f044e755349..d4f2cbc06c8 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -138,6 +138,7 @@ struct fruit_config_data {
 	bool delete_empty_adfiles;
 	bool validate_afpinfo;
 	bool veto_localized;
+	bool ignore_zero_aces;
 
 	/*
 	 * Additional options, all enabled by default,
@@ -344,6 +345,11 @@ static int init_fruit_config(vfs_handle_struct *handle)
 	config->posix_opens = lp_parm_bool(
 		SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME, "posix_opens", true);
 
+	config->ignore_zero_aces = lp_parm_bool(SNUM(handle->conn),
+						FRUIT_PARAM_TYPE_NAME,
+						"ignore_zero_aces",
+						true);
+
 	config->aapl_zero_file_id =
 	    lp_parm_bool(SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME,
 			 "zero_file_id", true);
@@ -4633,6 +4639,7 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
 				  uint32_t security_info_sent,
 				  const struct security_descriptor *orig_psd)
 {
+	struct fruit_config_data *config = NULL;
 	NTSTATUS status;
 	bool do_chmod;
 	mode_t ms_nfs_mode = 0;
@@ -4640,6 +4647,10 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
 	struct security_descriptor *psd = NULL;
 	uint32_t orig_num_aces = 0;
 
+	SMB_VFS_HANDLE_GET_DATA(handle, config,
+				struct fruit_config_data,
+				return NT_STATUS_UNSUCCESSFUL);
+
 	if (orig_psd->dacl != NULL) {
 		orig_num_aces = orig_psd->dacl->num_aces;
 	}
@@ -4651,6 +4662,13 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
 
 	DBG_DEBUG("%s\n", fsp_str_dbg(fsp));
 
+	if (config->ignore_zero_aces && (psd->dacl->num_aces == 0)) {
+		/*
+		 * Just ignore Set-ACL requests with zero ACEs.
+		 */
+		return NT_STATUS_OK;
+	}
+
 	status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp)));