vfs_fruit: ignore Set-ACL requests with zero ACEs

Workaround for a new behaviour in latest macOS versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(backported from commit a112978ed1240c399eb90e4472d5c43d867c49d9)
[slow@samba.org: conflict due to option veto_localized present only in master]

diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml
index 21c2e76de8d3e55b1a37844938dfc8cd71f68fe4..13748c110fb9e393f4389d7d01dc44be72a30213 100644 (file)
--- a/docs-xml/manpages/vfs_fruit.8.xml
+++ b/docs-xml/manpages/vfs_fruit.8.xml
@@ -441,6 +441,24 @@
             </listitem>
          </varlistentry>
 
+         <varlistentry>
+           <term>fruit:ignore_zero_aces = yes | no</term>
+           <listitem>
+
+             <para>When <parameter>fruit:ignore_zero_aces</parameter> is
+             enabled, attempts to modify filesystem permissions fail if the ACL
+             sent over the wire contains no ACEs. This is completely valid
+             client behaviour, but it means subsequently no further access is
+             possible to the file, unless permissions get fixed by an
+             administrator.</para>
+             <para>This problematic behaviour has been reported for latest
+             macOS versions and this new option allows to work around
+             it.</para>
+             <para>The default is <emphasis>yes</emphasis>.</para>
+
+            </listitem>
+         </varlistentry>
+
        </variablelist>
 </refsect1>
 

diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index ce9cba2525cc3aaad7e530f1bdb2a26393c17320..213d4cc3eeb4cdbeb4e78aae2617aca077a43873 100644 (file)
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -137,6 +137,7 @@ struct fruit_config_data {
        bool wipe_intentionally_left_blank_rfork;
        bool delete_empty_adfiles;
        bool validate_afpinfo;
+       bool ignore_zero_aces;
 
        /*
         * Additional options, all enabled by default,
@@ -343,6 +344,11 @@ static int init_fruit_config(vfs_handle_struct *handle)
        config->posix_opens = lp_parm_bool(
                SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME, "posix_opens", true);
 
+       config->ignore_zero_aces = lp_parm_bool(SNUM(handle->conn),
+                                               FRUIT_PARAM_TYPE_NAME,
+                                               "ignore_zero_aces",
+                                               true);
+
        config->aapl_zero_file_id =
            lp_parm_bool(SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME,
                         "zero_file_id", true);
@@ -4626,6 +4632,7 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
                                  uint32_t security_info_sent,
                                  const struct security_descriptor *orig_psd)
 {
+       struct fruit_config_data *config = NULL;
        NTSTATUS status;
        bool do_chmod;
        mode_t ms_nfs_mode = 0;
@@ -4633,6 +4640,10 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
        struct security_descriptor *psd = NULL;
        uint32_t orig_num_aces = 0;
 
+       SMB_VFS_HANDLE_GET_DATA(handle, config,
+                               struct fruit_config_data,
+                               return NT_STATUS_UNSUCCESSFUL);
+
        if (orig_psd->dacl != NULL) {
                orig_num_aces = orig_psd->dacl->num_aces;
        }
@@ -4644,6 +4655,13 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
 
        DBG_DEBUG("%s\n", fsp_str_dbg(fsp));
 
+       if (config->ignore_zero_aces && (psd->dacl->num_aces == 0)) {
+               /*
+                * Just ignore Set-ACL requests with zero ACEs.
+                */
+               return NT_STATUS_OK;
+       }
+
        status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp)));