Arcadio Sincero
2002-Jul-02 08:01 UTC
[Samba] Bug with Samba ACL support or did I screw up somewhere?
Hello list, I am using Samba 2.2.5 configured as a Win2k domain member with a Win2k Adv Server box acting as Domain Controller. Samba is running on a Linux 2.4.18 box with the extended attributes and ACL support patches applied. I am using the ext3 filesystem on the filesystems being shared via Samba to the Windows 2000/XP boxen on the network. And I do have the winbindd daemon running and it appears to properly map domain SIDs to UNIX uids/gids. However, there seems to be an issue with the ACL support in Samba (or maybe I just screwed up the configuration somewhere). I have the following in the [global] section of the smb.conf file: create mode = 0600 map hidden = no map system = no map archive = no When I create file on a file share from a WinXP Pro box (Right Click-> New->Text Document for example), the above settings create the file with the following permissions: [~]: getfacl New\ Text\ Document.txt # file: New Text Document.txt # owner: asincero # group: Domain Users user::rw- group::--- other::--- Thats to be expected. Trying to set the Hidden and Archive attributes from the file's property sheet from Explorer on the WinXP box has no effect, and thats also expected behavior. However, when I add another user to this file's ACL, things start to get screwy when I attempt to set the Read-only, Hidden and/or Archive attributes from the file's property sheet. I'll add the domain user "aps" to the file's ACL from a WinXP box and give him read and execute permssions (the default whenever you add a new user to a file's ACL from the 2k/XP security tab of a file's property sheet): [~]: getfacl New\ Text\ Document.txt # file: New Text Document.txt # owner: asincero # group: Domain Users user::rw- user:aps:r-x group::--- mask::rwx other::--- Now, I'll click the Hidden attribute checkbox from the file's property sheet from Explorer on the WinXP box. The following is the result: [~]: getfacl New\ Text\ Document.txt # file: New Text Document.txt # owner: asincero # group: Domain Users user::rw- user:aps:r-x group::rwx mask::rwx other::--- Notice that group members now have full access to do whatever they like to the file!! The same thing happens when I select the Archive attribute instead of the Hidden attribute. When I select the Read-only attribute, the file permissions become: [~]: getfacl New\ Text\ Document.txt # file: New Text Document.txt # owner: asincero # group: Domain Users user::r-- user:aps:r-x group::r-x mask::rwx other::--- The group permissions magically get the read and executable permissions :-/. Anybody have any idea what's going here? Is it a bug or did I screw up somewhere? I suppose the quick fix to this is to set the security mask to something like "0700". But this means users won't be able to manipulate the group permissions (and with a mask like 0700, the other permissions as well) from the Security Tab from the 2k/XP boxen :-/. Thanks in advance for any help with this. - Arcadio
Reasonably Related Threads
Wisdom of the Ancients
