]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
ksmbd: apply create security descriptor first
authorNamjae Jeon <linkinjeon@kernel.org>
Sun, 21 Jun 2026 10:47:56 +0000 (19:47 +0900)
committerSteve French <stfrench@microsoft.com>
Tue, 23 Jun 2026 01:15:05 +0000 (20:15 -0500)
smb2.create.aclfile creates files with an SMB2_CREATE_SD_BUFFER create
context and expects the resulting security descriptor to match
the descriptor supplied by the client.

ksmbd currently tries to inherit the parent DACL first and only parses
the SMB2_CREATE_SD_BUFFER context when DACL inheritance fails.
If inheritance succeeds, the explicit security descriptor supplied on
create is ignored. This breaks create requests that include owner/group
information in the security descriptor.

Apply the create security descriptor first when the context is present.
Fall back to the existing inherited/default ACL path only when no create
security descriptor was supplied.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/server/smb2pdu.c

index 68d7616900029d0aa1871170276a48b84a245c69..6b84a8ea5b154c83efd5bcfc73e5090e781cb53b 100644 (file)
@@ -3651,14 +3651,16 @@ int smb2_open(struct ksmbd_work *work)
                if (posix_acl_rc)
                        ksmbd_debug(SMB, "inherit posix acl failed : %d\n", posix_acl_rc);
 
-               if (test_share_config_flag(work->tcon->share_conf,
-                                          KSMBD_SHARE_FLAG_ACL_XATTR)) {
-                       rc = smb_inherit_dacl(conn, &path, sess->user->uid,
-                                             sess->user->gid);
-               }
+               rc = smb2_create_sd_buffer(work, req, &path);
+               if (rc && rc != -ENOENT)
+                       goto err_out;
 
-               if (rc) {
-                       rc = smb2_create_sd_buffer(work, req, &path);
+               if (rc == -ENOENT) {
+                       if (test_share_config_flag(work->tcon->share_conf,
+                                                  KSMBD_SHARE_FLAG_ACL_XATTR)) {
+                               rc = smb_inherit_dacl(conn, &path, sess->user->uid,
+                                                     sess->user->gid);
+                       }
                        if (rc) {
                                if (posix_acl_rc)
                                        ksmbd_vfs_set_init_posix_acl(idmap,