From: Ralph Boehme Date: Fri, 15 Jul 2016 15:48:19 +0000 (+0200) Subject: vfs_acl_xattr: objects without NT ACL xattr X-Git-Tag: samba-4.3.12~82 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cf920bcb7fe9deb0096e2eeba5a356a345d5d247;p=thirdparty%2Fsamba.git vfs_acl_xattr: objects without NT ACL xattr Even with "ignore system acls" set to "yes", for objects without NT ACL xattr we use the underlying filesystem permissions to construct an NT ACL. This can result in *very* unexpected permissions, eg: - a directory with the following ACL: $ ./bin/smbcacls -Uslow%pass //localhost/normal "" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\root ACL:SLOW\slow:ALLOWED/0x0/FULL So only one non-inheritable(!) ACE. - creating a subdirectory: $ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1" - checking whether there's an ACL xattr: $ getfattr -m "" /Volumes/normal/dir1 getfattr: Removing leading '/' from absolute path names system.posix_acl_access system.posix_acl_default user.DOSATTRIB So there isn't an ACL xattr, because there where no inheritable ACEs on the parent folder. - reading the new subdirectories ACL: $ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\slow ACL:SLOW\slow:ALLOWED/0x0/FULL ACL:Unix Group\slow:ALLOWED/0x0/READ ACL:Everyone:ALLOWED/0x0/READ ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming from the underlying filesystem. This is the problem. - Windows assigns the following ACL in this situation: $ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir" REVISION:1 CONTROL:SR|PD|DI|DP OWNER:VORDEFINIERT\Administratoren GROUP:WIN2008R2\Domänen-Benutzer ACL:WIN2008R2\Administrator:ALLOWED/0x0/FULL $ ./bin/smbclient -UAdministrator%Passw0rd //10.10.10.14/data -c "mkdir dir\dir1" $ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir\dir1" REVISION:1 CONTROL:SR|DI|DP OWNER:VORDEFINIERT\Administratoren GROUP:WIN2008R2\Domänen-Benutzer ACL:VORDEFINIERT\Administratoren:ALLOWED/0x0/FULL ACL:NT-AUTORITÄT\SYSTEM:ALLOWED/0x0/FULL By changing make_default_filesystem_acl() to only adds user and system ACE to the ACL of objects that lack an ACL xattr, we match Windows behaviour: $ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir2" $ ./bin/smbcacls -Uslow%pass //localhost/normal "dir2" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\slow ACL:SLOW\slow:ALLOWED/0x0/FULL ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Tue Jul 19 10:22:05 CEST 2016 on sn-devel-144 (cherry picked from commit 961c4b591bb102751079d9cc92d7aa1c37f1958c) Autobuild-User(v4-3-test): Karolin Seeger Autobuild-Date(v4-3-test): Wed Aug 3 14:42:05 CEST 2016 on sn-devel-104 --- diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index dc9676106c2..f5af666ced5 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -24,6 +24,7 @@ #include "../libcli/security/security.h" #include "../librpc/gen_ndr/ndr_security.h" #include "../lib/util/bitmap.h" +#include "passdb/lookup_sid.h" static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob, @@ -378,12 +379,10 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx, gid_to_sid(&group_sid, psbuf->st_ex_gid); /* - We provide up to 4 ACEs - - Owner - - Group - - Everyone - - NT System - */ + * We provide 2 ACEs: + * - Owner + * - NT System + */ if (mode & S_IRUSR) { if (mode & S_IWUSR) { @@ -403,39 +402,6 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx, 0); idx++; - access_mask = 0; - if (mode & S_IRGRP) { - access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; - } - if (mode & S_IWGRP) { - /* note that delete is not granted - this matches posix behaviour */ - access_mask |= SEC_RIGHTS_FILE_WRITE; - } - if (access_mask) { - init_sec_ace(&aces[idx], - &group_sid, - SEC_ACE_TYPE_ACCESS_ALLOWED, - access_mask, - 0); - idx++; - } - - access_mask = 0; - if (mode & S_IROTH) { - access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; - } - if (mode & S_IWOTH) { - access_mask |= SEC_RIGHTS_FILE_WRITE; - } - if (access_mask) { - init_sec_ace(&aces[idx], - &global_sid_World, - SEC_ACE_TYPE_ACCESS_ALLOWED, - access_mask, - 0); - idx++; - } - init_sec_ace(&aces[idx], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,