1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00

vfs_acl_xattr: objects without NT ACL xattr

Even with "ignore system acls" set to "yes", for objects without NT ACL
xattr we use the underlying filesystem permissions to construct an NT
ACL. This can result in *very* unexpected permissions, eg:

- a directory with the following ACL:

$ ./bin/smbcacls -Uslow%pass //localhost/normal ""
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\root
ACL:SLOW\slow:ALLOWED/0x0/FULL

So only one non-inheritable(!) ACE.

- creating a subdirectory:

$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1"

- checking whether there's an ACL xattr:

$ getfattr -m "" /Volumes/normal/dir1
getfattr: Removing leading '/' from absolute path names
system.posix_acl_access
system.posix_acl_default
user.DOSATTRIB

So there isn't an ACL xattr, because there where no inheritable ACEs on
the parent folder.

- reading the new subdirectories ACL:

$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:Unix Group\slow:ALLOWED/0x0/READ
ACL:Everyone:ALLOWED/0x0/READ
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL

The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming
from the underlying filesystem. This is the problem.

- Windows assigns the following ACL in this situation:

$ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir"
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:VORDEFINIERT\Administratoren
GROUP:WIN2008R2\Domänen-Benutzer
ACL:WIN2008R2\Administrator:ALLOWED/0x0/FULL

$ ./bin/smbclient -UAdministrator%Passw0rd //10.10.10.14/data -c "mkdir dir\dir1"

$ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir\dir1"
REVISION:1
CONTROL:SR|DI|DP
OWNER:VORDEFINIERT\Administratoren
GROUP:WIN2008R2\Domänen-Benutzer
ACL:VORDEFINIERT\Administratoren:ALLOWED/0x0/FULL
ACL:NT-AUTORITÄT\SYSTEM:ALLOWED/0x0/FULL

By changing make_default_filesystem_acl() to only adds user and system
ACE to the ACL of objects that lack an ACL xattr, we match Windows
behaviour:

$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir2"

$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir2"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jul 19 10:22:05 CEST 2016 on sn-devel-144
This commit is contained in:
Ralph Boehme 2016-07-15 17:48:19 +02:00
parent afc2417b10
commit 961c4b591b

View File

@ -24,6 +24,7 @@
#include "../libcli/security/security.h"
#include "../librpc/gen_ndr/ndr_security.h"
#include "../lib/util/bitmap.h"
#include "passdb/lookup_sid.h"
static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
DATA_BLOB *pblob,
@ -378,12 +379,10 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
gid_to_sid(&group_sid, psbuf->st_ex_gid);
/*
We provide up to 4 ACEs
- Owner
- Group
- Everyone
- NT System
*/
* We provide 2 ACEs:
* - Owner
* - NT System
*/
if (mode & S_IRUSR) {
if (mode & S_IWUSR) {
@ -403,39 +402,6 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
0);
idx++;
access_mask = 0;
if (mode & S_IRGRP) {
access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
}
if (mode & S_IWGRP) {
/* note that delete is not granted - this matches posix behaviour */
access_mask |= SEC_RIGHTS_FILE_WRITE;
}
if (access_mask) {
init_sec_ace(&aces[idx],
&group_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
access_mask,
0);
idx++;
}
access_mask = 0;
if (mode & S_IROTH) {
access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
}
if (mode & S_IWOTH) {
access_mask |= SEC_RIGHTS_FILE_WRITE;
}
if (access_mask) {
init_sec_ace(&aces[idx],
&global_sid_World,
SEC_ACE_TYPE_ACCESS_ALLOWED,
access_mask,
0);
idx++;
}
init_sec_ace(&aces[idx],
&global_sid_System,
SEC_ACE_TYPE_ACCESS_ALLOWED,