mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
vfs_acl_xattr: objects without NT ACL xattr
Even with "ignore system acls" set to "yes", for objects without NT ACL xattr we use the underlying filesystem permissions to construct an NT ACL. This can result in *very* unexpected permissions, eg: - a directory with the following ACL: $ ./bin/smbcacls -Uslow%pass //localhost/normal "" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\root ACL:SLOW\slow:ALLOWED/0x0/FULL So only one non-inheritable(!) ACE. - creating a subdirectory: $ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1" - checking whether there's an ACL xattr: $ getfattr -m "" /Volumes/normal/dir1 getfattr: Removing leading '/' from absolute path names system.posix_acl_access system.posix_acl_default user.DOSATTRIB So there isn't an ACL xattr, because there where no inheritable ACEs on the parent folder. - reading the new subdirectories ACL: $ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\slow ACL:SLOW\slow:ALLOWED/0x0/FULL ACL:Unix Group\slow:ALLOWED/0x0/READ ACL:Everyone:ALLOWED/0x0/READ ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming from the underlying filesystem. This is the problem. - Windows assigns the following ACL in this situation: $ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir" REVISION:1 CONTROL:SR|PD|DI|DP OWNER:VORDEFINIERT\Administratoren GROUP:WIN2008R2\Domänen-Benutzer ACL:WIN2008R2\Administrator:ALLOWED/0x0/FULL $ ./bin/smbclient -UAdministrator%Passw0rd //10.10.10.14/data -c "mkdir dir\dir1" $ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir\dir1" REVISION:1 CONTROL:SR|DI|DP OWNER:VORDEFINIERT\Administratoren GROUP:WIN2008R2\Domänen-Benutzer ACL:VORDEFINIERT\Administratoren:ALLOWED/0x0/FULL ACL:NT-AUTORITÄT\SYSTEM:ALLOWED/0x0/FULL By changing make_default_filesystem_acl() to only adds user and system ACE to the ACL of objects that lack an ACL xattr, we match Windows behaviour: $ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir2" $ ./bin/smbcacls -Uslow%pass //localhost/normal "dir2" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\slow ACL:SLOW\slow:ALLOWED/0x0/FULL ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Tue Jul 19 10:22:05 CEST 2016 on sn-devel-144
This commit is contained in:
parent
afc2417b10
commit
961c4b591b
@ -24,6 +24,7 @@
|
||||
#include "../libcli/security/security.h"
|
||||
#include "../librpc/gen_ndr/ndr_security.h"
|
||||
#include "../lib/util/bitmap.h"
|
||||
#include "passdb/lookup_sid.h"
|
||||
|
||||
static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
|
||||
DATA_BLOB *pblob,
|
||||
@ -378,12 +379,10 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
|
||||
gid_to_sid(&group_sid, psbuf->st_ex_gid);
|
||||
|
||||
/*
|
||||
We provide up to 4 ACEs
|
||||
- Owner
|
||||
- Group
|
||||
- Everyone
|
||||
- NT System
|
||||
*/
|
||||
* We provide 2 ACEs:
|
||||
* - Owner
|
||||
* - NT System
|
||||
*/
|
||||
|
||||
if (mode & S_IRUSR) {
|
||||
if (mode & S_IWUSR) {
|
||||
@ -403,39 +402,6 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
|
||||
0);
|
||||
idx++;
|
||||
|
||||
access_mask = 0;
|
||||
if (mode & S_IRGRP) {
|
||||
access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
|
||||
}
|
||||
if (mode & S_IWGRP) {
|
||||
/* note that delete is not granted - this matches posix behaviour */
|
||||
access_mask |= SEC_RIGHTS_FILE_WRITE;
|
||||
}
|
||||
if (access_mask) {
|
||||
init_sec_ace(&aces[idx],
|
||||
&group_sid,
|
||||
SEC_ACE_TYPE_ACCESS_ALLOWED,
|
||||
access_mask,
|
||||
0);
|
||||
idx++;
|
||||
}
|
||||
|
||||
access_mask = 0;
|
||||
if (mode & S_IROTH) {
|
||||
access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
|
||||
}
|
||||
if (mode & S_IWOTH) {
|
||||
access_mask |= SEC_RIGHTS_FILE_WRITE;
|
||||
}
|
||||
if (access_mask) {
|
||||
init_sec_ace(&aces[idx],
|
||||
&global_sid_World,
|
||||
SEC_ACE_TYPE_ACCESS_ALLOWED,
|
||||
access_mask,
|
||||
0);
|
||||
idx++;
|
||||
}
|
||||
|
||||
init_sec_ace(&aces[idx],
|
||||
&global_sid_System,
|
||||
SEC_ACE_TYPE_ACCESS_ALLOWED,
|
||||
|
Loading…
Reference in New Issue
Block a user